Collect CrowdStrike Falcon logs

This document provides guidance about how to ingest CrowdStrike Falcon logs into Google Security Operations as follows:

Collect CrowdStrike Falcon logs by setting up a Google Security Operations feed.
Map CrowdStrike Falcon log fields to Google SecOps Unified Data Model (UDM) fields.
Understand supported CrowdStrike Falcon log types and event types.

For more information, see the Data ingestion to Google SecOps overview .

Before you begin

Ensure that you have the following prerequisites:

Administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor
All systems in the deployment architecture are configured in the UTC time zone.
Target device runs on a supported operating system
- Must be a 64-bit server
- Microsoft Windows Server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor version 6.51 or later.
- Legacy OS versions must support SHA-2 code signing.
Google SecOps service account file and your customer ID from the Google SecOps support team

Deploy CrowdStrike Falcon with Google SecOps feed integration

A typical deployment consists of CrowdStrike Falcon which sends the logs, and the Google SecOps feed which fetches the logs. Your deployment might differ slightly based on your setup.

The deployment typically includes the following components:

CrowdStrike Falcon Intelligence: The CrowdStrike product you collect logs from.
CrowdStrike feed. The CrowdStrike feed that fetches logs from CrowdStrike and writes them to Google SecOps.
CrowdStrike Intel Bridge: The CrowdStrike product that collects threat indicators from the data source and forwards them to Google SecOps.
Google SecOps: The platform that retains, normalizes and analyzes the CrowdStrike detection logs.
An ingestion label parser that normalizes raw log data into the UDM format. The information in this document applies to CrowdStrike Falcon parsers with the following ingestion labels:
- CS_EDR
- CS_DETECTS
- CS_IOC The CrowdStrike Indicator of Compromise (IoC) parser supports the following indicator types:
  - domain
  - email_address
  - file_name
  - file_path
  - hash_md5
  - hash_sha1
  - hash_sha256
  - ip_address
  - mutex_name
  - url
- CS_ALERTS The CrowdStrike Alerts parser supports the following product types:
  - epp
  - idp
  - overwatch
  - xdr
  - mobile
  - cwpp
  - ngsiem

Configure a Google SecOps feed for CrowdStrike EDR logs

The following procedures are needed to configure the feed.

How to configure CrowdStrike

To set up a Falcon Data Replicator feed, follow these steps:

Sign in to the CrowdStrike Falcon Console.
Go to Support Apps> Falcon Data Replicator.
Click Addto create a new Falcon Data Replicator feed and generate the following values:
- Feed
- S3 identifier,
- SQS URL
Client secret. Keep these values to set up a feed in Google SecOps.

For more information, see How to set up Falcon Data replicator feed .

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds > Add New Feed
Content Hub > Content Packs > Get Started

How to set up the CrowdStrike Falcon feed

Click the CrowdStrikepack.
In the CrowdStrike Falconlog type, specify values for the following fields:
- Source: Amazon SQS
- Region: The S3 region associated with URI.
- Queue Name: Name of the SQS queue from which to read log data.
- S3 URI: The S3 bucket source URI.
- Account Number: The SQS account number.
- Queue Access Key ID: 20-character account access key ID. For example, AKIAOSFOODNN7EXAMPLE .
- Queue Secret Access Key: 40-character secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY .
- Source deletion option: Option to delete files and directories after transferring the data.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed .
- Ingestion Labels– Labels applied to all events from this feed.
Click Create Feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

Set up an ingestion feed with Amazon S3 bucket

To set up an ingestion feed using an S3 bucket, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed namefield, enter a name for the feed; for example, Crowdstrike Falcon Logs.
In Source type, select Amazon S3.
In Log type, select CrowdStrike Falcon.

Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:

Field	Description
`region`	S3 region URI.
`S3 uri`	S3 bucket source URI.
`uri is a`	Type of object that the URI points to (for example, file or folder).
`source deletion option`	Option to delete files and directories after transferring the data.
`access key id`	Access key (20-character alphanumeric string). For example, `AKIAOSFOODNN7EXAMPLE` .
`secret access key`	Secret access key (40-character alphanumeric string). For example, `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` .
`oauth client id`	Public OAuth client ID.
`oauth client secret`	OAuth 2.0 client secret.
`oauth secret refresh uri`	OAuth 2.0 client secret refresh URI.
`asset namespace`	Namespace associated with the feed.

Configure a Google SecOps feed for CrowdStrike logs

To forward CrowdStrike detection monitoring logs, follow these steps:

Sign in to CrowdStrike Falcon Console.
Go to Support Apps> API Clients and Keys.
Create a new API client key pair at CrowdStrike Falcon. This key pair must have READ permissions for both Detections and Alerts from CrowdStrike Falcon.

Ingest logs using Cloud Storage for CrowdStrike EDR logs

You can configure CrowdStrike to send EDR logs to a Cloud Storage bucket, and then ingest these logs into Google SecOps using a feed. This process requires coordination with CrowdStrike Support.

Before you begin

Ensure you have an active CrowdStrike Falcon instance.
Ensure you have a Google Cloud project where you can create Cloud Storage buckets and manage IAM permissions.
Ensure you have an active Google SecOps instance.
Ensure you have administrator rights in both your Google Cloud environment and your Google SecOps instance.

Steps

Contact CrowdStrike Support:Open a support ticket with CrowdStrike to enable and configure the feature to push EDR logs to your Cloud Storage bucket. CrowdStrike Support will provide guidance on the specific required configurations.
Create and permission the Cloud Storage bucket:
1. In the Google Cloud console, create a new bucket in Cloud Storage. Note the bucket name (for example, gs://my-crowdstrike-edr-logs/ ).
2. Grant write permissions to the service account or entity provided by CrowdStrike. Follow the instructions from CrowdStrike Support to allow log files to be written into this bucket for this permission.
Configure the Google SecOps feed:
1. In your Google SecOps instance, go to SIEM Settings > Feeds.
2. Click Add New.
3. Enter a descriptive Feed name(for example, CS-EDR-GCS ).
4. For Source type, select Google Cloud Storage V2.
5. For Log type, select CrowdStrike Falcon.
6. In the service account section, click Get Service Account. Copy the unique service account email address displayed.
7. In the Google Cloud console, navigate to your Cloud Storage bucket. Grant the Storage Object Viewer IAM role to the service account email address copied from the Google SecOps feed settings. This permission allows the feed to read the log files.
8. Return to the Google SecOpsFeed configuration page.
9. Enter the Storage Bucket URLusing the name of the bucket you created (for example, gs://my-crowdstrike-edr-logs/ ). This URL must end with a trailing forward slash (/).
10. Select a Source Deletion Option:
  - Never delete files: Recommended.
  - Delete transferred files and empty directories: Use with caution.
11. Optional: Specify an Asset Namespace.
12. Click Next, review the settings, and then click Submit.
Verify log ingestion:After CrowdStrike confirms that logs are being pushed, allow some time for data to be ingested into Google SecOps. Check for incoming logs by searching with the Log Type CROWDSTRIKE_EDR in Google SecOps.

If you encounter issues, review the IAM permissions on the Cloud Storage bucket and the feed configuration in Google SecOps. If issues persist, contact the Google SecOps support team .

To receive CrowdStrike detection monitoring logs, follow these steps

Sign in to your Google SecOps instance.
Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed namefield, enter a name for the feed; for example, Crowdstrike Falcon Logs.
In Source type, select Third Party API.
In Log type, select CrowdStrike Detection Monitoring.

If you encounter issues, contact the Google SecOps support team .

Ingest CrowdStrike IoC logs into Google SecOps

To configure log ingestion from CrowdStrike into Google SecOps for IoC logs, complete the following steps:

Create a new API client key pair at CrowdStrike Falcon Console. This key pair allows Google SecOps Intel Bridge to access and read events and supplementary information from CrowdStrike Falcon. For setup instructions, see CrowdStrike to Google SecOps Intel Bridge .
Provide READ permission to Indicators (Falcon Intelligence) when you create the key pair.
Set up the Google SecOps Intel Bridge by following the steps in CrowdStrike to Google SecOps Intel Bridge .

Run the following Docker commands to send the logs from CrowdStrike to Google SecOps, where sa.json is the Google SecOps service account file:

 docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

After the container runs successfully, IoC logs will begin streaming into Google SecOps.

Configure a Google SecOps feed for CrowdStrike alerts logs

To set up an ingestion feed for CrowdStrike alerts logs, perform the following steps:

In the CrowdStrike Falcon Console:

Sign in to the CrowdStrike Falcon Console.
On the API Clients and Keys page ( Support and resources> Resources and tools> API Clients and Keys), click Create API client.
Enter details to define your API client:
- Client Name
- Description
- API Scopes: Select the Readand Writeboxes next to Alertsscope to enable access.
Click Createto save the API client and generate the client IDand secret. Note: The Client ID, secret, and Base URLwill be used in further steps.

In the Google SecOps instance:

Sign in to your Google SecOps instance.
From the Google SecOps menu, select Settings, and then click Feeds.
Click Add New Feed.
In Source type, select Third Party API.
In Log type, select CrowdStrike Alerts API.
Click Nextand populate the following fields using the values collected from the CrowdStrike API client:
- OAuth token endpoint
- OAuth client ID
- OAuth client secret
- Base URL
Click Nextand then click Submit.

If you encounter issues, contact the Google SecOps support team .

UDM Mapping Delta for CrowdStrike alerts logs

UDM Mapping Delta reference: CS_ALERTS

The following table lists delta between Default parser of CS ALERTS and premium version of CS ALERTS .

Default UDM Mapping

Log Field

Premium Mapping Delta

about.resource.product_object_id

cid

Removed mapping to avoid duplication, as the cid log field is also mapped to metadata.product_deployment_id .

principal.asset.platform_software.platform

platform

If the device.platform_name log field value is empty and the platform log field value is not empty and if the platform log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS . Else, if platform log field value matches the regular expression pattern (?i)Linux then, the principal.asset.platform_software.platform UDM field is set to LINUX . Else, if platform log field value matches the regular expression pattern (?i)Mac then, the principal.asset.platform_software.platform UDM field is set to MAC . Else, if platform log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS .

security_result.detection_fields[agent_id]

agent_id

If the device.device_id log field value is empty and the host_id log field value is empty and the mdm_device_id log field value is empty then, CS:%{agent_id} log field is mapped to the principal.asset_id UDM field.
Else, the principal.asset.attribute.labels.key UDM field is set to agent_id and agent_id log field is mapped to the principal.asset.attribute.labels.value UDM field.

security_result.detection_fields[idp_policy_account_event_type]

idp_policy_account_event_type

security_result.rule_labels[idp_policy_account_event_type]

security_result.detection_fields[idp_policy_mfa_factor_type]

idp_policy_mfa_factor_type

security_result.rule_labels[idp_policy_mfa_factor_type]

security_result.detection_fields[idp_policy_mfa_provider_name]

idp_policy_mfa_provider_name

security_result.rule_labels[idp_policy_mfa_provider_name]

security_result.detection_fields[idp_policy_mfa_provider]

idp_policy_mfa_provider

security_result.rule_labels[idp_policy_mfa_provider]

security_result.detection_fields[idp_policy_rule_action]

idp_policy_rule_action

security_result.rule_labels[idp_policy_rule_action]

security_result.detection_fields[idp_policy_rule_trigger]

idp_policy_rule_trigger

security_result.rule_labels[idp_policy_rule_trigger]

security_result.detection_fields[idp_policy_rule_id]

idp_policy_rule_id

security_result.rule_id

security_result.detection_fields[idp_policy_rule_name]

idp_policy_rule_name

security_result.rule_name

target.process.file.mime_type

alleged_filetype

If the technique_name log field value contain one of the following values

Archive via Library
Ingress Tool Transfer
Remote File Copy
File Transfer Protocols
Credentials from Web Browsers
Credentials In Files
Proc Filesystem
Unsecured Credentials
File Deletion
Obfuscated Files or Information
Compile After Delivery
Compiled HTML File
Deobfuscate/Decode Files or Information
Double File Extension
File and Directory Permissions Modification
File System Logical Offsets
Hidden Files and Directories
Install Root Certificate
Archive Collected Data
Archive via Custom Method
Archive via Utility
Linux and Mac File and Directory Permissions Modification
MMC
NTFS File Attributes
PubPrn
Resource Forking
Rundll32
Scripting
Space after Filename
System Script Proxy Execution
XSL Script Processing
Intelligence Indicator - Hash
Known Hash
Malicious File
File and Directory Discovery
AppleScript
Command and Scripting Interpreter
JavaScript
JavaScript/JScript
Malicious Image
PowerShell
Python
Service Execution
Unix Shell
User Execution
Data Destruction
Spearphishing Attachment
.bash_profile and .bashrc
Change Default File Association
Ccache Files
Chat Messages
Multi-Factor Authentication
TCC Manipulation
Application Versioning
Fileless Storage
Embedded Payloads
File/Path Exclusions
Encrypted/Encoded File
Match Legitimate Resource Name or Location
Masquerade File Type
Stripped Payloads
Clear Network Connection History and Configurations
Disable or Modify Linux Audit System
Junk Code Insertion
Extended Attributes
SVG Smuggling
Indicator Removal
LNK Icon Smuggling
Polymorphic Code
Relocate Malware
Clear Persistence
Compression
Compromise Host Software Binary
Conceal Multimedia Files
Browser Information Discovery
Taint Shared Content
Shared Webroot

then, alleged_filetype log field is mapped to the target.file.mime_type UDM field.
Else, alleged_filetype log field is mapped to the target.process.file.mime_type UDM field.

principal.resource.product_object_id

device.cid

principal.asset.attribute.labels[device_cid]

security_result.detection_fields[active_directory_dn_display]

device.hostinfo.active_directory_dn_display

Iterate through log field device.hostinfo.active_directory_dn_display , then
the security_result.detection_fields.key UDM field is set to device_hostinfo_active_directory_dn_display and device.hostinfo.active_directory_dn_display log field is mapped to the security_result.detection_fields.value UDM field.

principal.asset.platform_software.platform

device.platform_name

If the device.platform_name log field value is not empty and if the device.platform_name log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS . Else, if device.platform_name log field value matches the regular expression pattern (?i)Linux then, the principal.asset.platform_software.platform UDM field is set to LINUX . Else, if device.platform_name log field value matches the regular expression pattern (?i)Mac then, the principal.asset.platform_software.platform UDM field is set to MAC . Else, if device.platform_name log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS . if the platform log field value is not empty and the device.platform_name log field value is equal to

the platform 
log field value

then, the principal.asset.attribute.labels.key UDM field is set to platform and platform log field is mapped to the principal.asset.attribute.labels.value UDM field.

principal.asset.platform_software.platform_version

device.system_product_name

principal.asset.hardware.model

target.process.file.names

filename

If the technique_name log field value contain one of the following values

Archive via Library
Ingress Tool Transfer
Remote File Copy
File Transfer Protocols
Credentials from Web Browsers
Credentials In Files
Proc Filesystem
Unsecured Credentials
File Deletion
Obfuscated Files or Information
Compile After Delivery
Compiled HTML File
Deobfuscate/Decode Files or Information
Double File Extension
File and Directory Permissions Modification
File System Logical Offsets
Hidden Files and Directories
Install Root Certificate
Archive Collected Data
Archive via Custom Method
Archive via Utility
Linux and Mac File and Directory Permissions Modification
MMC
NTFS File Attributes
PubPrn
Resource Forking
Rundll32
Scripting
Space after Filename
System Script Proxy Execution
XSL Script Processing
Intelligence Indicator - Hash
Known Hash
Malicious File
File and Directory Discovery
AppleScript
Command and Scripting Interpreter
JavaScript
JavaScript/JScript
Malicious Image
PowerShell
Python
Service Execution
Unix Shell
User Execution
Data Destruction
Spearphishing Attachment
.bash_profile and .bashrc
Change Default File Association
Ccache Files
Chat Messages
Multi-Factor Authentication
TCC Manipulation
Application Versioning
Fileless Storage
Embedded Payloads
File/Path Exclusions
Encrypted/Encoded File
Match Legitimate Resource Name or Location
Masquerade File Type
Stripped Payloads
Clear Network Connection History and Configurations
Disable or Modify Linux Audit System
Junk Code Insertion
Extended Attributes
SVG Smuggling
Indicator Removal
LNK Icon Smuggling
Polymorphic Code
Relocate Malware
Clear Persistence
Compression
Compromise Host Software Binary
Conceal Multimedia Files
Browser Information Discovery
Taint Shared Content
Shared Webroot

then, filename log field is mapped to the target.file.names UDM field.
Else, filename log field is mapped to the target.process.file.names UDM field.

target.file.full_path

filepath

If the technique_name log field value contain one of the following values

Archive via Library
Ingress Tool Transfer
Remote File Copy
File Transfer Protocols
Credentials from Web Browsers
Credentials In Files
Proc Filesystem
Unsecured Credentials
File Deletion
Obfuscated Files or Information
Compile After Delivery
Compiled HTML File
Deobfuscate/Decode Files or Information
Double File Extension
File and Directory Permissions Modification
File System Logical Offsets
Hidden Files and Directories
Install Root Certificate
Archive Collected Data
Archive via Custom Method
Archive via Utility
Linux and Mac File and Directory Permissions Modification
MMC
NTFS File Attributes
PubPrn
Resource Forking
Rundll32
Scripting
Space after Filename
System Script Proxy Execution
XSL Script Processing
Intelligence Indicator - Hash
Known Hash
Malicious File
File and Directory Discovery
AppleScript
Command and Scripting Interpreter
JavaScript
JavaScript/JScript
Malicious Image
PowerShell
Python
Service Execution
Unix Shell
User Execution
Data Destruction
Spearphishing Attachment
.bash_profile and .bashrc
Change Default File Association
Ccache Files
Chat Messages
Multi-Factor Authentication
TCC Manipulation
Application Versioning
Fileless Storage
Embedded Payloads
File/Path Exclusions
Encrypted/Encoded File
Match Legitimate Resource Name or Location
Masquerade File Type
Stripped Payloads
Clear Network Connection History and Configurations
Disable or Modify Linux Audit System
Junk Code Insertion
Extended Attributes
SVG Smuggling
Indicator Removal
LNK Icon Smuggling
Polymorphic Code
Relocate Malware
Clear Persistence
Compression
Compromise Host Software Binary
Conceal Multimedia Files
Browser Information Discovery
Taint Shared Content
Shared Webroot

then, filepath log field is mapped to the target.file.full_path UDM field.
Else, filepath log field is mapped to the target.process.file.full_path UDM field.
If the product log field value is equal to epp and the type log field value is equal to ofp and if the macros.ioc_description log field value is not empty then, macros.ioc_description log field is mapped to the target.file.full_path UDM field and the security_result.detection_fields.key UDM field is set to filepath and filepath log field is mapped to the security_result.detection_fields.value UDM field.

target.process_ancestors.command_line

grandparent_details.cmdline

target.process.parent_process.parent_process.command_line

target.process_ancestors.file.names

grandparent_details.filename

target.process.parent_process.parent_process.file.names

target.process_ancestors.file.full_path

grandparent_details.filepath

target.process.parent_process.parent_process.file.full_path

target.process_ancestors.file.md5

grandparent_details.md5

target.process.parent_process.parent_process.file.md5

target.process_ancestors.product_specific_process_id

grandparent_details.process_graph_id

If the grandparent_details.process_graph_id log field value is not empty then, PRODUCT_SPECIFIC_PROCESS_ID: %{grandparent_details.process_graph_id} log field is mapped to the target.process.parent_process.parent_process.product_specific_process_id UDM field.

target.process_ancestors.pid

grandparent_details.process_id

target.process.parent_process.parent_process.pid

target.process_ancestors.file.sha256

grandparent_details.sha256

target.process.parent_process.parent_process.file.sha256

security_result.detection_fields[ioc_description]

ioc_context.ioc_description

Iterate through log field ioc_context , then
the security_result.detection_fields.key UDM field is set to ioc_context_ioc_description and ioc_context.ioc_description log field is mapped to the security_result.detection_fields.value UDM field.

security_result.detection_fields[ioc_source]

ioc_context.ioc_source

Iterate through log field ioc_context , then
the security_result.detection_fields.key UDM field is set to ioc_context_ioc_source and ioc_context.ioc_source log field is mapped to the security_result.detection_fields.value UDM field.

target.process.file.md5

md5

If the technique_name log field value contain one of the following values

Archive via Library
Ingress Tool Transfer
Remote File Copy
File Transfer Protocols
Credentials from Web Browsers
Credentials In Files
Proc Filesystem
Unsecured Credentials
File Deletion
Obfuscated Files or Information
Compile After Delivery
Compiled HTML File
Deobfuscate/Decode Files or Information
Double File Extension
File and Directory Permissions Modification
File System Logical Offsets
Hidden Files and Directories
Install Root Certificate
Archive Collected Data
Archive via Custom Method
Archive via Utility
Linux and Mac File and Directory Permissions Modification
MMC
NTFS File Attributes
PubPrn
Resource Forking
Rundll32
Scripting
Space after Filename
System Script Proxy Execution
XSL Script Processing
Intelligence Indicator - Hash
Known Hash
Malicious File
File and Directory Discovery
AppleScript
Command and Scripting Interpreter
JavaScript
JavaScript/JScript
Malicious Image
PowerShell
Python
Service Execution
Unix Shell
User Execution
Data Destruction
Spearphishing Attachment
.bash_profile and .bashrc
Change Default File Association
Ccache Files
Chat Messages
Multi-Factor Authentication
TCC Manipulation
Application Versioning
Fileless Storage
Embedded Payloads
File/Path Exclusions
Encrypted/Encoded File
Match Legitimate Resource Name or Location
Masquerade File Type
Stripped Payloads
Clear Network Connection History and Configurations
Disable or Modify Linux Audit System
Junk Code Insertion
Extended Attributes
SVG Smuggling
Indicator Removal
LNK Icon Smuggling
Polymorphic Code
Relocate Malware
Clear Persistence
Compression
Compromise Host Software Binary
Conceal Multimedia Files
Browser Information Discovery
Taint Shared Content
Shared Webroot

then, md5 log field is mapped to the target.file.md5 UDM field.
Else, md5 log field is mapped to the target.process.file.md5 UDM field.

target.process.file.sha1

sha1

If the technique_name log field value contain one of the following values

Archive via Library
Ingress Tool Transfer
Remote File Copy
File Transfer Protocols
Credentials from Web Browsers
Credentials In Files
Proc Filesystem
Unsecured Credentials
File Deletion
Obfuscated Files or Information
Compile After Delivery
Compiled HTML File
Deobfuscate/Decode Files or Information
Double File Extension
File and Directory Permissions Modification
File System Logical Offsets
Hidden Files and Directories
Install Root Certificate
Archive Collected Data
Archive via Custom Method
Archive via Utility
Linux and Mac File and Directory Permissions Modification
MMC
NTFS File Attributes
PubPrn
Resource Forking
Rundll32
Scripting
Space after Filename
System Script Proxy Execution
XSL Script Processing
Intelligence Indicator - Hash
Known Hash
Malicious File
File and Directory Discovery
AppleScript
Command and Scripting Interpreter
JavaScript
JavaScript/JScript
Malicious Image
PowerShell
Python
Service Execution
Unix Shell
User Execution
Data Destruction
Spearphishing Attachment
.bash_profile and .bashrc
Change Default File Association
Ccache Files
Chat Messages
Multi-Factor Authentication
TCC Manipulation
Application Versioning
Fileless Storage
Embedded Payloads
File/Path Exclusions
Encrypted/Encoded File
Match Legitimate Resource Name or Location
Masquerade File Type
Stripped Payloads
Clear Network Connection History and Configurations
Disable or Modify Linux Audit System
Junk Code Insertion
Extended Attributes
SVG Smuggling
Indicator Removal
LNK Icon Smuggling
Polymorphic Code
Relocate Malware
Clear Persistence
Compression
Compromise Host Software Binary
Conceal Multimedia Files
Browser Information Discovery
Taint Shared Content
Shared Webroot

then, sha1 log field is mapped to the target.file.sha1 UDM field.
Else, sha1 log field is mapped to the target.process.file.sha1 UDM field.

target.file.sha256

sha256

If the technique_name log field value contain one of the following values

Archive via Library
Ingress Tool Transfer
Remote File Copy
File Transfer Protocols
Credentials from Web Browsers
Credentials In Files
Proc Filesystem
Unsecured Credentials
File Deletion
Obfuscated Files or Information
Compile After Delivery
Compiled HTML File
Deobfuscate/Decode Files or Information
Double File Extension
File and Directory Permissions Modification
File System Logical Offsets
Hidden Files and Directories
Install Root Certificate
Archive Collected Data
Archive via Custom Method
Archive via Utility
Linux and Mac File and Directory Permissions Modification
MMC
NTFS File Attributes
PubPrn
Resource Forking
Rundll32
Scripting
Space after Filename
System Script Proxy Execution
XSL Script Processing
Intelligence Indicator - Hash
Known Hash
Malicious File
File and Directory Discovery
AppleScript
Command and Scripting Interpreter
JavaScript
JavaScript/JScript
Malicious Image
PowerShell
Python
Service Execution
Unix Shell
User Execution
Data Destruction
Spearphishing Attachment
.bash_profile and .bashrc
Change Default File Association
Ccache Files
Chat Messages
Multi-Factor Authentication
TCC Manipulation
Application Versioning
Fileless Storage
Embedded Payloads
File/Path Exclusions
Encrypted/Encoded File
Match Legitimate Resource Name or Location
Masquerade File Type
Stripped Payloads
Clear Network Connection History and Configurations
Disable or Modify Linux Audit System
Junk Code Insertion
Extended Attributes
SVG Smuggling
Indicator Removal
LNK Icon Smuggling
Polymorphic Code
Relocate Malware
Clear Persistence
Compression
Compromise Host Software Binary
Conceal Multimedia Files
Browser Information Discovery
Taint Shared Content
Shared Webroot

then, sha256 log field is mapped to the target.file.sha256 UDM field.
Else, sha256 log field is mapped to the target.process.file.sha256 UDM field.
If the product log field value is equal to epp and the type log field value is equal to ofp and if the ioc_type log field value is equal to hash_sha256 and the macros.ioc_value log field value is not empty then, macros.ioc_value log field is mapped to the target.file.sha256 UDM field and the security_result.detection_fields.key UDM field is set to sha256 and sha256 log field is mapped to the security_result.detection_fields.value UDM field.

target.asset.platform_software.platform

operating_system

If the operating_system log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS .
Else, if operating_system log field value matches the regular expression pattern (?i)linux then, the principal.asset.platform_software.platform UDM field is set to LINUX .
Else, if operating_system log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS .
Else, if operating_system log field value matches the regular expression pattern (?i)mac then, the principal.asset.platform_software.platform UDM field is set to MAC .

security_result.detection_fields[agent_version]

agent_version

principal.asset.attribute.labels[agent_version]

about.email

enrollment_email

principal.user.email_addresses

principal.asset.type

If the mdm_device_id log field value is not empty or the mobile_hardware log field value is not empty or the mobile_manufacturer log field value is not empty or the mobile_serial log field value is not empty then, the principal.asset.type UDM field is set to MOBILE .

Supported CrowdStrike log formats

The CrowdStrike parser supports logs in JSON format.

Need more help? Get answers from Community members and Google SecOps professionals.