Console
    Start free

    Collect CrowdStrike Falcon logs

    This document describes how to ingest CrowdStrike Falcon logs into Google Security Operations. You can ingest several types of CrowdStrike Falcon logs, and this document outlines the specific configuration for each.

    For a high-level overview of data ingestion in Google Security Operations, see Data ingestion to Google Security Operations .

    Supported CrowdStrike Falcon log types

    Google Security Operations supports the following CrowdStrike Falcon log types through the parsers with the following ingestion labels:

    • Endpoint Detection and Response (EDR): CS_EDR . This parser parses near real-time telemetry data from CrowdStrike Falcon Data Replicator (FDR), such as file access and registry modifications. Data is typically ingested from an S3 or Cloud Storage bucket.

    • Detections: CS_DETECTS . This parser parses Detection Summary events from CrowdStrike using the Detect API. While related to endpoint activity, CS_DETECTS provides higher-level detection summaries compared to the raw telemetry parsed using CS_EDR .

    • Alerts: CS_ALERTS . This parser parses alerts from CrowdStrike using the Alerts API. The CrowdStrike Alerts parser supports the following product types:

      • epp
      • idp
      • overwatch
      • xdr
      • mobile
      • cwpp
      • ngsiem

    • Indicators of Compromise (IoC): CS_IOC . This parser parses IoCs and Indicators of Attack (IOAs) from CrowdStrike Threat Intelligence using the CrowdStrike Chronicle Intel Bridge. The CrowdStrike Indicator of Compromise (IoC) parser supports the following indicator types:

      • domain
      • email_address
      • file_name
      • file_path
      • hash_md5
      • hash_sha1
      • hash_sha256
      • ip_address
      • mutex_name
      • url

    Google SecOps recommends using feeds for CS_EDR , CS_DETECTS , and CS_IOC for comprehensive data ingestion from CrowdStrike.

    Before you begin

    Ensure that you have the following prerequisites:

    • Administrator rights on the CrowdStrike instance to install the CrowdStrike Falcon Host sensor
    • All systems in the deployment architecture are configured in the UTC time zone.
    • Target device runs on a supported operating system
      • Must be a 64-bit server
      • Microsoft Windows Server 2008 R2 SP1 is supported for CrowdStrike Falcon Host sensor version 6.51 or later.
      • Legacy OS versions must support SHA-2 code signing.
    • Google SecOps service account file and your customer ID from the Google SecOps support team

    Set up feeds

    There are two different entry points to set up feeds in the Google SecOps platform:

    • SIEM Settings > Feeds > Add New Feed
    • Content Hub > Content Packs > Get Started

    For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

    Ingest CrowdStrike Falcon logs

    This section describes how to configure ingestion for the different types of CrowdStrike Falcon logs.

    Ingest EDR logs ( CS_EDR )

    You can ingest CrowdStrike Falcon EDR logs using one of the following methods, depending on where you want to send the logs from CrowdStrike:

    • Amazon SQS: Using a Falcon Data Replicator feed.
    • Amazon S3: Using a Google Security Operations feed configured for an S3 bucket.
    • Google Cloud Storage: By having CrowdStrike push logs to a Cloud Storage bucket.

    Choose one of the following procedures.

    Option 1: Ingest EDR logs from Amazon SQS

    This method uses the CrowdStrike Falcon Data Replicator to send EDR logs to an Amazon SQS queue, which Google Security Operations then polls.

    1. Click the CrowdStrikepack.

    2. In the CrowdStrike Falconlog type, specify values for the following fields:

      • Source: Amazon SQS
      • Region: The S3 region associated with URI.
      • Queue Name: Name of the SQS queue from which to read log data.
      • S3 URI: The S3 bucket source URI.
      • Account Number: The SQS account number.
      • Queue Access Key ID: 20-character account access key ID. For example, AKIAOSFOODNN7EXAMPLE .
      • Queue Secret Access Key: 40-character secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY .
      • Source deletion option: Option to delete files and directories after transferring the data.

      Advanced options

      • Feed Name: A prepopulated value that identifies the feed.
      • Asset Namespace: Namespace associated with the feed .
      • Ingestion Labels– Labels applied to all events from this feed.

    3. Click Create Feed.

    For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

    Option 2: Ingest EDR logs from an Amazon S3 bucket

    This method involves setting up a Google Security Operations feed to pull EDR logs directly from an Amazon S3 bucket.

    To set up an ingestion feed using an S3 bucket, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed; for example, Crowdstrike Falcon Logs.
    5. In Source type, select Amazon S3.
    6. In Log type, select CrowdStrike Falcon.
    7. Based on the service account and the Amazon S3 bucket configuration that you created, specify values for the following fields:
      Field Description
      region S3 region URI.
      S3 uri S3 bucket source URI.
      uri is a Type of object that the URI points to (for example, file or folder).
      source deletion option Option to delete files and directories after transferring the data.
      access key id Access key (20-character alphanumeric string). For example, AKIAOSFOODNN7EXAMPLE .
      secret access key Secret access key (40-character alphanumeric string). For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY .
      oauth client id Public OAuth client ID.
      oauth client secret OAuth 2.0 client secret.
      oauth secret refresh uri OAuth 2.0 client secret refresh URI.
      asset namespace Namespace associated with the feed.
    8. Click Nextand then Submit.

    Option 3: Ingest EDR logs from Cloud Storage

    You can configure CrowdStrike to send EDR logs to a Cloud Storage bucket, and then ingest these logs into Google Security Operations using a feed. This process requires coordination with CrowdStrike Support.

    1. Contact CrowdStrike Support:Open a support ticket with CrowdStrike to enable and configure pushing EDR logs to your Cloud Storage bucket. They will provide guidance on the required configurations.

    2. Create and permission the Cloud Storage bucket:

      1. In the Google Cloud console, create a new Cloud Storage bucket. Note the bucket name (for example, gs://my-crowdstrike-edr-logs/ ).
      2. Grant write permissions to the service account provided by CrowdStrike. Follow the instructions from CrowdStrike Support.

    3. Configure the Google SecOps feed:

      1. In your Google SecOps instance, go to Settings > Feedsand click Add New.
      2. Enter a descriptive Feed name(for example, CS-EDR-GCS ).
      3. For Source type, select Google Cloud Storage V2.
      4. For Log type, select CrowdStrike Falcon.
      5. In the service account section, click Get Service Account. Copy the unique service account email address displayed.
      6. In the Google Cloud console, navigate to your Cloud Storage bucket and grant the Storage Object Viewer IAM role to the service account email address you copied. This allows the feed to read the log files.
      7. Return to the Google SecOps feed configuration page.
      8. Enter the Storage Bucket URL(for example, gs://my-crowdstrike-edr-logs/ ). This URL must end with a trailing forward slash ( / ).
      9. Select a Source Deletion Option. Never delete filesis recommended.
      10. Click Next, review the settings, and then click Submit.

    4. Verify log ingestion:After CrowdStrike confirms that logs are being pushed, check for incoming logs in Google SecOps with the Log Type CROWDSTRIKE_EDR .

    Ingest Alerts logs ( CS_ALERTS )

    To ingest CrowdStrike Falcon alerts, you configure a feed that uses the CrowdStrike API.

    1. In the CrowdStrike Falcon Console:

      1. Sign in to the CrowdStrike Falcon Console.
      2. Go to Support and resources> Resources and tools> API Clients and Keys, and click Create API client.
      3. Enter a Client Nameand Description.
      4. For API Scopes, select the Readand Writeboxes for Alerts.
      5. Click Create. Note the generated Client ID, Client Secret, and Base URL.

    2. In Google Security Operations:

      1. Go to Settings > Feedsand click Add New.
      2. Select Third Party APIfor Source type.
      3. Select CrowdStrike Alerts APIfor Log type.
      4. Click Nextand populate the following fields using the values from the CrowdStrike API client:
        • OAuth token endpoint
        • OAuth client ID
        • OAuth client secret
        • Base URL
      5. Click Nextand then Submit.

    Ingest Detections logs ( CS_DETECTS )

    To ingest CrowdStrike Falcon detection logs, you also use the CrowdStrike API.

    1. In the CrowdStrike Falcon Console:

      1. Sign in to the CrowdStrike Falcon Console.
      2. Go to Support Apps> API Clients and Keys.
      3. Create a new API client key pair. This key pair must have READ permissions for Detections .

    2. In Google Security Operations:

      1. Go to Settings > Feedsand click Add New.
      2. Select Third Party APIfor Source type.
      3. Select CrowdStrike Detection Monitoringfor Log type.
      4. Click Nextand then Submit. You will be prompted for the API credentials you created.

    Ingest IoC logs ( CS_IOC )

    To ingest Indicator of Compromise (IoC) logs from CrowdStrike, you use the Google SecOps Intel Bridge.

    1. In the CrowdStrike Falcon Console, create a new API client key pair. This key pair must have READ permission for Indicators (Falcon Intelligence) .
    2. Set up the Google SecOps Intel Bridge by following the instructions at CrowdStrike to Google SecOps Intel Bridge .

    3. Run the following Docker commands to send the logs from CrowdStrike to Google SecOps. sa.json is your Google SecOps service account file.

       docker build . -t ccib:latest
docker run -it --rm \
      -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID"  \
      -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET"  \
      -e FALCON_CLOUD_REGION="$FALCON_CLOUD"  \
      -e CHRONICLE_CUSTOMER_ID="$CHRONICLE_CUSTOMER_ID"  \
      -e GOOGLE_APPLICATION_CREDENTIALS=/ccib/sa.json  \
      -v  ~/my/path/to/service/account/filer/sa.json:/ccib/sa.json  \
      ccib:latest

    4. After the container is running, IoC logs will begin streaming into Google SecOps.

    If you encounter issues with any of these configurations, contact the Google SecOps support team .

    UDM Mapping Delta for CrowdStrike alerts logs.

    UDM Mapping Delta reference: CS_ALERTS

    The following table lists delta between Default parser of CS ALERTS and premium version of CS ALERTS .

    Default UDM Mapping
    Log Field
    Premium Mapping Delta
    about.resource.product_object_id
    cid
    Removed mapping to avoid duplication, as the cid log field is also mapped to metadata.product_deployment_id .
    principal.asset.platform_software.platform
    platform
    If the device.platform_name log field value is empty and the platform log field value is not empty and if the platform log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS . Else, if platform log field value matches the regular expression pattern (?i)Linux then, the principal.asset.platform_software.platform UDM field is set to LINUX . Else, if platform log field value matches the regular expression pattern (?i)Mac then, the principal.asset.platform_software.platform UDM field is set to MAC . Else, if platform log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS .
    security_result.detection_fields[agent_id]
    agent_id
    If the device.device_id log field value is empty and the host_id log field value is empty and the mdm_device_id log field value is empty then, CS:%{agent_id} log field is mapped to the principal.asset_id UDM field.
    Else, the principal.asset.attribute.labels.key UDM field is set to agent_id and agent_id log field is mapped to the principal.asset.attribute.labels.value UDM field.
    security_result.detection_fields[idp_policy_account_event_type]
    idp_policy_account_event_type
    security_result.rule_labels[idp_policy_account_event_type]
    security_result.detection_fields[idp_policy_mfa_factor_type]
    idp_policy_mfa_factor_type
    security_result.rule_labels[idp_policy_mfa_factor_type]
    security_result.detection_fields[idp_policy_mfa_provider_name]
    idp_policy_mfa_provider_name
    security_result.rule_labels[idp_policy_mfa_provider_name]
    security_result.detection_fields[idp_policy_mfa_provider]
    idp_policy_mfa_provider
    security_result.rule_labels[idp_policy_mfa_provider]
    security_result.detection_fields[idp_policy_rule_action]
    idp_policy_rule_action
    security_result.rule_labels[idp_policy_rule_action]
    security_result.detection_fields[idp_policy_rule_trigger]
    idp_policy_rule_trigger
    security_result.rule_labels[idp_policy_rule_trigger]
    security_result.detection_fields[idp_policy_rule_id]
    idp_policy_rule_id
    security_result.rule_id
    security_result.detection_fields[idp_policy_rule_name]
    idp_policy_rule_name
    security_result.rule_name
    security_result.detection_fields[status]
    status
    If the status log field value matches the regular expression pattern (?i)new then, status log field is mapped to the security_result.about.investigation.status UDM field with the value NEW .
    Else, if status log field value matches the regular expression pattern (?i)closed then, status log field is mapped to the security_result.about.investigation.status UDM field with the value CLOSED .
    Else, status log field is mapped to the security_result.detection_fields[status] UDM field.
    target.process.file.mime_type
    alleged_filetype
    If the technique_name log field value contain one of the following values
    • Archive via Library
    • Ingress Tool Transfer
    • Remote File Copy
    • File Transfer Protocols
    • Credentials from Web Browsers
    • Credentials In Files
    • Proc Filesystem
    • Unsecured Credentials
    • File Deletion
    • Obfuscated Files or Information
    • Compile After Delivery
    • Compiled HTML File
    • Deobfuscate/Decode Files or Information
    • Double File Extension
    • File and Directory Permissions Modification
    • File System Logical Offsets
    • Hidden Files and Directories
    • Install Root Certificate
    • Archive Collected Data
    • Archive via Custom Method
    • Archive via Utility
    • Linux and Mac File and Directory Permissions Modification
    • MMC
    • NTFS File Attributes
    • PubPrn
    • Resource Forking
    • Rundll32
    • Scripting
    • Space after Filename
    • System Script Proxy Execution
    • XSL Script Processing
    • Intelligence Indicator - Hash
    • Known Hash
    • Malicious File
    • File and Directory Discovery
    • AppleScript
    • Command and Scripting Interpreter
    • JavaScript
    • JavaScript/JScript
    • Malicious Image
    • PowerShell
    • Python
    • Service Execution
    • Unix Shell
    • User Execution
    • Data Destruction
    • Spearphishing Attachment
    • .bash_profile and .bashrc
    • Change Default File Association
    • Ccache Files
    • Chat Messages
    • Multi-Factor Authentication
    • TCC Manipulation
    • Application Versioning
    • Fileless Storage
    • Embedded Payloads
    • File/Path Exclusions
    • Encrypted/Encoded File
    • Match Legitimate Resource Name or Location
    • Masquerade File Type
    • Stripped Payloads
    • Clear Network Connection History and Configurations
    • Disable or Modify Linux Audit System
    • Junk Code Insertion
    • Extended Attributes
    • SVG Smuggling
    • Indicator Removal
    • LNK Icon Smuggling
    • Polymorphic Code
    • Relocate Malware
    • Clear Persistence
    • Compression
    • Compromise Host Software Binary
    • Conceal Multimedia Files
    • Browser Information Discovery
    • Taint Shared Content
    • Shared Webroot
    then, alleged_filetype log field is mapped to the target.file.mime_type UDM field.
    Else, alleged_filetype log field is mapped to the target.process.file.mime_type UDM field.
    principal.resource.product_object_id
    device.cid
    principal.asset.attribute.labels[device_cid]
    security_result.detection_fields[active_directory_dn_display]
    device.hostinfo.active_directory_dn_display
    Iterate through log field device.hostinfo.active_directory_dn_display , then
    the security_result.detection_fields.key UDM field is set to device_hostinfo_active_directory_dn_display and device.hostinfo.active_directory_dn_display log field is mapped to the security_result.detection_fields.value UDM field.
    principal.asset.platform_software.platform
    device.platform_name
    If the device.platform_name log field value is not empty and if the device.platform_name log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS . Else, if device.platform_name log field value matches the regular expression pattern (?i)Linux then, the principal.asset.platform_software.platform UDM field is set to LINUX . Else, if device.platform_name log field value matches the regular expression pattern (?i)Mac then, the principal.asset.platform_software.platform UDM field is set to MAC . Else, if device.platform_name log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS . if the platform log field value is not empty and the device.platform_name log field value is equal to the platform log field value then, the principal.asset.attribute.labels.key UDM field is set to platform and platform log field is mapped to the principal.asset.attribute.labels.value UDM field.
    principal.asset.platform_software.platform_version
    device.system_product_name
    principal.asset.hardware.model
    target.process.file.names
    filename
    If the technique_name log field value contain one of the following values
    • Archive via Library
    • Ingress Tool Transfer
    • Remote File Copy
    • File Transfer Protocols
    • Credentials from Web Browsers
    • Credentials In Files
    • Proc Filesystem
    • Unsecured Credentials
    • File Deletion
    • Obfuscated Files or Information
    • Compile After Delivery
    • Compiled HTML File
    • Deobfuscate/Decode Files or Information
    • Double File Extension
    • File and Directory Permissions Modification
    • File System Logical Offsets
    • Hidden Files and Directories
    • Install Root Certificate
    • Archive Collected Data
    • Archive via Custom Method
    • Archive via Utility
    • Linux and Mac File and Directory Permissions Modification
    • MMC
    • NTFS File Attributes
    • PubPrn
    • Resource Forking
    • Rundll32
    • Scripting
    • Space after Filename
    • System Script Proxy Execution
    • XSL Script Processing
    • Intelligence Indicator - Hash
    • Known Hash
    • Malicious File
    • File and Directory Discovery
    • AppleScript
    • Command and Scripting Interpreter
    • JavaScript
    • JavaScript/JScript
    • Malicious Image
    • PowerShell
    • Python
    • Service Execution
    • Unix Shell
    • User Execution
    • Data Destruction
    • Spearphishing Attachment
    • .bash_profile and .bashrc
    • Change Default File Association
    • Ccache Files
    • Chat Messages
    • Multi-Factor Authentication
    • TCC Manipulation
    • Application Versioning
    • Fileless Storage
    • Embedded Payloads
    • File/Path Exclusions
    • Encrypted/Encoded File
    • Match Legitimate Resource Name or Location
    • Masquerade File Type
    • Stripped Payloads
    • Clear Network Connection History and Configurations
    • Disable or Modify Linux Audit System
    • Junk Code Insertion
    • Extended Attributes
    • SVG Smuggling
    • Indicator Removal
    • LNK Icon Smuggling
    • Polymorphic Code
    • Relocate Malware
    • Clear Persistence
    • Compression
    • Compromise Host Software Binary
    • Conceal Multimedia Files
    • Browser Information Discovery
    • Taint Shared Content
    • Shared Webroot
    then, filename log field is mapped to the target.file.names UDM field.
    Else, filename log field is mapped to the target.process.file.names UDM field.
    target.file.full_path
    filepath
    If the technique_name log field value contain one of the following values
    • Archive via Library
    • Ingress Tool Transfer
    • Remote File Copy
    • File Transfer Protocols
    • Credentials from Web Browsers
    • Credentials In Files
    • Proc Filesystem
    • Unsecured Credentials
    • File Deletion
    • Obfuscated Files or Information
    • Compile After Delivery
    • Compiled HTML File
    • Deobfuscate/Decode Files or Information
    • Double File Extension
    • File and Directory Permissions Modification
    • File System Logical Offsets
    • Hidden Files and Directories
    • Install Root Certificate
    • Archive Collected Data
    • Archive via Custom Method
    • Archive via Utility
    • Linux and Mac File and Directory Permissions Modification
    • MMC
    • NTFS File Attributes
    • PubPrn
    • Resource Forking
    • Rundll32
    • Scripting
    • Space after Filename
    • System Script Proxy Execution
    • XSL Script Processing
    • Intelligence Indicator - Hash
    • Known Hash
    • Malicious File
    • File and Directory Discovery
    • AppleScript
    • Command and Scripting Interpreter
    • JavaScript
    • JavaScript/JScript
    • Malicious Image
    • PowerShell
    • Python
    • Service Execution
    • Unix Shell
    • User Execution
    • Data Destruction
    • Spearphishing Attachment
    • .bash_profile and .bashrc
    • Change Default File Association
    • Ccache Files
    • Chat Messages
    • Multi-Factor Authentication
    • TCC Manipulation
    • Application Versioning
    • Fileless Storage
    • Embedded Payloads
    • File/Path Exclusions
    • Encrypted/Encoded File
    • Match Legitimate Resource Name or Location
    • Masquerade File Type
    • Stripped Payloads
    • Clear Network Connection History and Configurations
    • Disable or Modify Linux Audit System
    • Junk Code Insertion
    • Extended Attributes
    • SVG Smuggling
    • Indicator Removal
    • LNK Icon Smuggling
    • Polymorphic Code
    • Relocate Malware
    • Clear Persistence
    • Compression
    • Compromise Host Software Binary
    • Conceal Multimedia Files
    • Browser Information Discovery
    • Taint Shared Content
    • Shared Webroot
    then, filepath log field is mapped to the target.file.full_path UDM field.
    Else, filepath log field is mapped to the target.process.file.full_path UDM field.
    If the product log field value is equal to epp and the type log field value is equal to ofp and if the macros.ioc_description log field value is not empty then, macros.ioc_description log field is mapped to the target.file.full_path UDM field and the security_result.detection_fields.key UDM field is set to filepath and filepath log field is mapped to the security_result.detection_fields.value UDM field.
    target.process_ancestors.command_line
    grandparent_details.cmdline
    target.process.parent_process.parent_process.command_line
    target.process_ancestors.file.names
    grandparent_details.filename
    target.process.parent_process.parent_process.file.names
    target.process_ancestors.file.full_path
    grandparent_details.filepath
    target.process.parent_process.parent_process.file.full_path
    target.process_ancestors.file.md5
    grandparent_details.md5
    target.process.parent_process.parent_process.file.md5
    target.process_ancestors.product_specific_process_id
    grandparent_details.process_graph_id
    If the grandparent_details.process_graph_id log field value is not empty then, PRODUCT_SPECIFIC_PROCESS_ID: %{grandparent_details.process_graph_id} log field is mapped to the target.process.parent_process.parent_process.product_specific_process_id UDM field.
    target.process_ancestors.pid
    grandparent_details.process_id
    target.process.parent_process.parent_process.pid
    target.process_ancestors.file.sha256
    grandparent_details.sha256
    target.process.parent_process.parent_process.file.sha256
    security_result.detection_fields[ioc_description]
    ioc_context.ioc_description
    Iterate through log field ioc_context , then
    the security_result.detection_fields.key UDM field is set to ioc_context_ioc_description and ioc_context.ioc_description log field is mapped to the security_result.detection_fields.value UDM field.
    security_result.detection_fields[ioc_source]
    ioc_context.ioc_source
    Iterate through log field ioc_context , then
    the security_result.detection_fields.key UDM field is set to ioc_context_ioc_source and ioc_context.ioc_source log field is mapped to the security_result.detection_fields.value UDM field.
    target.process.file.md5
    md5
    If the technique_name log field value contain one of the following values
    • Archive via Library
    • Ingress Tool Transfer
    • Remote File Copy
    • File Transfer Protocols
    • Credentials from Web Browsers
    • Credentials In Files
    • Proc Filesystem
    • Unsecured Credentials
    • File Deletion
    • Obfuscated Files or Information
    • Compile After Delivery
    • Compiled HTML File
    • Deobfuscate/Decode Files or Information
    • Double File Extension
    • File and Directory Permissions Modification
    • File System Logical Offsets
    • Hidden Files and Directories
    • Install Root Certificate
    • Archive Collected Data
    • Archive via Custom Method
    • Archive via Utility
    • Linux and Mac File and Directory Permissions Modification
    • MMC
    • NTFS File Attributes
    • PubPrn
    • Resource Forking
    • Rundll32
    • Scripting
    • Space after Filename
    • System Script Proxy Execution
    • XSL Script Processing
    • Intelligence Indicator - Hash
    • Known Hash
    • Malicious File
    • File and Directory Discovery
    • AppleScript
    • Command and Scripting Interpreter
    • JavaScript
    • JavaScript/JScript
    • Malicious Image
    • PowerShell
    • Python
    • Service Execution
    • Unix Shell
    • User Execution
    • Data Destruction
    • Spearphishing Attachment
    • .bash_profile and .bashrc
    • Change Default File Association
    • Ccache Files
    • Chat Messages
    • Multi-Factor Authentication
    • TCC Manipulation
    • Application Versioning
    • Fileless Storage
    • Embedded Payloads
    • File/Path Exclusions
    • Encrypted/Encoded File
    • Match Legitimate Resource Name or Location
    • Masquerade File Type
    • Stripped Payloads
    • Clear Network Connection History and Configurations
    • Disable or Modify Linux Audit System
    • Junk Code Insertion
    • Extended Attributes
    • SVG Smuggling
    • Indicator Removal
    • LNK Icon Smuggling
    • Polymorphic Code
    • Relocate Malware
    • Clear Persistence
    • Compression
    • Compromise Host Software Binary
    • Conceal Multimedia Files
    • Browser Information Discovery
    • Taint Shared Content
    • Shared Webroot
    then, md5 log field is mapped to the target.file.md5 UDM field.
    Else, md5 log field is mapped to the target.process.file.md5 UDM field.
    target.process.file.sha1
    sha1
    If the technique_name log field value contain one of the following values
    • Archive via Library
    • Ingress Tool Transfer
    • Remote File Copy
    • File Transfer Protocols
    • Credentials from Web Browsers
    • Credentials In Files
    • Proc Filesystem
    • Unsecured Credentials
    • File Deletion
    • Obfuscated Files or Information
    • Compile After Delivery
    • Compiled HTML File
    • Deobfuscate/Decode Files or Information
    • Double File Extension
    • File and Directory Permissions Modification
    • File System Logical Offsets
    • Hidden Files and Directories
    • Install Root Certificate
    • Archive Collected Data
    • Archive via Custom Method
    • Archive via Utility
    • Linux and Mac File and Directory Permissions Modification
    • MMC
    • NTFS File Attributes
    • PubPrn
    • Resource Forking
    • Rundll32
    • Scripting
    • Space after Filename
    • System Script Proxy Execution
    • XSL Script Processing
    • Intelligence Indicator - Hash
    • Known Hash
    • Malicious File
    • File and Directory Discovery
    • AppleScript
    • Command and Scripting Interpreter
    • JavaScript
    • JavaScript/JScript
    • Malicious Image
    • PowerShell
    • Python
    • Service Execution
    • Unix Shell
    • User Execution
    • Data Destruction
    • Spearphishing Attachment
    • .bash_profile and .bashrc
    • Change Default File Association
    • Ccache Files
    • Chat Messages
    • Multi-Factor Authentication
    • TCC Manipulation
    • Application Versioning
    • Fileless Storage
    • Embedded Payloads
    • File/Path Exclusions
    • Encrypted/Encoded File
    • Match Legitimate Resource Name or Location
    • Masquerade File Type
    • Stripped Payloads
    • Clear Network Connection History and Configurations
    • Disable or Modify Linux Audit System
    • Junk Code Insertion
    • Extended Attributes
    • SVG Smuggling
    • Indicator Removal
    • LNK Icon Smuggling
    • Polymorphic Code
    • Relocate Malware
    • Clear Persistence
    • Compression
    • Compromise Host Software Binary
    • Conceal Multimedia Files
    • Browser Information Discovery
    • Taint Shared Content
    • Shared Webroot
    then, sha1 log field is mapped to the target.file.sha1 UDM field.
    Else, sha1 log field is mapped to the target.process.file.sha1 UDM field.
    target.file.sha256
    sha256
    If the technique_name log field value contain one of the following values
    • Archive via Library
    • Ingress Tool Transfer
    • Remote File Copy
    • File Transfer Protocols
    • Credentials from Web Browsers
    • Credentials In Files
    • Proc Filesystem
    • Unsecured Credentials
    • File Deletion
    • Obfuscated Files or Information
    • Compile After Delivery
    • Compiled HTML File
    • Deobfuscate/Decode Files or Information
    • Double File Extension
    • File and Directory Permissions Modification
    • File System Logical Offsets
    • Hidden Files and Directories
    • Install Root Certificate
    • Archive Collected Data
    • Archive via Custom Method
    • Archive via Utility
    • Linux and Mac File and Directory Permissions Modification
    • MMC
    • NTFS File Attributes
    • PubPrn
    • Resource Forking
    • Rundll32
    • Scripting
    • Space after Filename
    • System Script Proxy Execution
    • XSL Script Processing
    • Intelligence Indicator - Hash
    • Known Hash
    • Malicious File
    • File and Directory Discovery
    • AppleScript
    • Command and Scripting Interpreter
    • JavaScript
    • JavaScript/JScript
    • Malicious Image
    • PowerShell
    • Python
    • Service Execution
    • Unix Shell
    • User Execution
    • Data Destruction
    • Spearphishing Attachment
    • .bash_profile and .bashrc
    • Change Default File Association
    • Ccache Files
    • Chat Messages
    • Multi-Factor Authentication
    • TCC Manipulation
    • Application Versioning
    • Fileless Storage
    • Embedded Payloads
    • File/Path Exclusions
    • Encrypted/Encoded File
    • Match Legitimate Resource Name or Location
    • Masquerade File Type
    • Stripped Payloads
    • Clear Network Connection History and Configurations
    • Disable or Modify Linux Audit System
    • Junk Code Insertion
    • Extended Attributes
    • SVG Smuggling
    • Indicator Removal
    • LNK Icon Smuggling
    • Polymorphic Code
    • Relocate Malware
    • Clear Persistence
    • Compression
    • Compromise Host Software Binary
    • Conceal Multimedia Files
    • Browser Information Discovery
    • Taint Shared Content
    • Shared Webroot
    then, sha256 log field is mapped to the target.file.sha256 UDM field.
    Else, sha256 log field is mapped to the target.process.file.sha256 UDM field.
    If the product log field value is equal to epp and the type log field value is equal to ofp and if the ioc_type log field value is equal to hash_sha256 and the macros.ioc_value log field value is not empty then, macros.ioc_value log field is mapped to the target.file.sha256 UDM field and the security_result.detection_fields.key UDM field is set to sha256 and sha256 log field is mapped to the security_result.detection_fields.value UDM field.
    target.asset.platform_software.platform
    operating_system
    If the operating_system log field value matches the regular expression pattern (?i)Windows then, the principal.asset.platform_software.platform UDM field is set to WINDOWS .
    Else, if operating_system log field value matches the regular expression pattern (?i)linux then, the principal.asset.platform_software.platform UDM field is set to LINUX .
    Else, if operating_system log field value matches the regular expression pattern (?i)ios then, the principal.asset.platform_software.platform UDM field is set to IOS .
    Else, if operating_system log field value matches the regular expression pattern (?i)mac then, the principal.asset.platform_software.platform UDM field is set to MAC .
    security_result.detection_fields[agent_version]
    agent_version
    principal.asset.attribute.labels[agent_version]
    about.email
    enrollment_email
    principal.user.email_addresses
    principal.asset.type
    If the mdm_device_id log field value is not empty or the mobile_hardware log field value is not empty or the mobile_manufacturer log field value is not empty or the mobile_serial log field value is not empty then, the principal.asset.type UDM field is set to MOBILE .
    security_result.detection_fields[detection_context_user_is_admin]
    detection_context.user_is_admin
    security_result.about.user.attribute.label[detection_context_user_is_admin]
    security_result.detection_fields[detection_context_user_sid]
    detection_context.user_sid
    security_result.about.user.attribute.label[detection_context_user_sid]
    principal.asset.attribute.labels[pod_id]
    device.pod_id
    principal.resource.product_object_id
    principal.asset.attribute.labels[pod_labels]
    device.pod_labels
    principal.resource.attribute.labels[pod_labels]
    principal.asset.attribute.labels[pod_name]
    device.pod_name
    principal.resource.name
    principal.asset.attribute.labels[pod_namespace]
    device.pod_namespace
    principal.resource.attribute.labels[pod_namespace]
    principal.asset.attribute.labels[pod_service_account_name]
    device.pod_service_account_name
    principal.resource.attribute.labels[pod_service_account_name]

    Supported CrowdStrike log formats

    The CrowdStrike parser supports logs in JSON format.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: