Collect CrowdStrike Falcon logs in CEF

This document explains how to collect CrowdStrike Falcon logs in CEF format using Bindplane. The parser extracts key-value pairs and maps them to the Unified Data Model (UDM), handling different delimiters and enriching the data with additional context like severity and event types. It also performs specific transformations for certain event types and fields, such as user logins and security results.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd .
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to the CrowdStrike Falcon console.
• Obtain API credentials for Falcon Stream (Client ID and Client Secret).

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Windows installation

1. Open the Command Promptor PowerShellas an administrator.

2. Run the following command:

     msiexec 
     
    / 
    i 
     
    "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
     
    / 
    quiet 
    
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

    sudo  
   sh  
   -c  
    " 
    $( 
   curl  
   -fsSlL  
   https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
    " 
     
   install_unix.sh 
   

Additional installation resources

• For additional installation options, consult this installation guide .

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   2. Open the file using a text editor (for example, nano , vi , or Notepad).

2. Edit the config.yaml file as follows:

     receivers 
    : 
     
    tcplog 
    : 
     
    # Replace the port and IP address as required 
     
    listen_address 
    : 
     
    "0.0.0.0:54525" 
    exporters 
    : 
     
    chronicle/chronicle_w_labels 
    : 
     
    compression 
    : 
     
    gzip 
     
    # Adjust the path to the credentials file you downloaded in Step 1 
     
    creds 
    : 
     
    '/path/to/ingestion-authentication-file.json' 
     
    # Replace with your actual customer ID from Step 2 
     
    customer_id 
    : 
     
   < customer_id 
   >  
    endpoint 
    : 
     
    malachiteingestion-pa.googleapis.com 
     
    # Add optional ingestion labels for better organization 
     
    ingestion_labels 
    : 
     
    log_type 
    : 
     
    SYSLOG 
     
    namespace 
    : 
     
    cs_falcon 
     
    raw_log_field 
    : 
     
    body 
    service 
    : 
     
    pipelines 
    : 
     
    logs/source0__chronicle_w_labels-0 
    : 
     
    receivers 
    : 
     
    - 
     
    tcplog 
     
    exporters 
    : 
     
    - 
     
    chronicle/chronicle_w_labels 
    
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

• To restart the Bindplane agent in Linux, run the following command:

   sudo  
  systemctl  
  restart  
  bindplane-agent 
  

• To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

   net stop BindPlaneAgent && net start BindPlaneAgent 
  

Configure and get a CrowdStrike API Key

1. Sign in to CrowdStrike Falconwith a privileged account.
2. Go to Menu > Support.
3. Click API Clients > KeysSelect.
4. Click Add new API client.
5. In the API Scopessection, select Event streamsand Alerts > enable the Readoption.
6. Click Add.
7. Copy and save the Client ID, Secret, and Base URL.

Install the Falcon SIEM Connector

1. Download the RPM installer package for your operating system.

2. Package installation:

   • CentOS operating system:

      sudo  
     rpm  
     -Uvh  
     <installer  
     package> 
     

   • Ubuntu operating system:

      sudo  
     dpkg  
     -i  
     <installer  
     package> 
     

3. Default installation directories:

   • Falcon SIEM Connector - /opt/crowdstrike/ .
   • Service - /etc/init.d/cs.falconhoseclientd/ .

Configure the SIEM Connector to forward CEF logs to Bindplane

1. Sign into the machine with installed SIEM Connector as a sudo user.
2. Go to the /opt/crowdstrike/etc/ directory.
3. Rename cs.falconhoseclient.cef.cfg to cs.falconhoseclient.cfg .
   • SIEM Connector uses cs.falconhoseclient.cfg configuration by default.
4. Edit the cs.falconhoseclient.cfg file and modify/set the following parameters:
   • api_url: - your CrowdStrike Falcon Base URL copied from previous step.
   • app_id: - any string as identifier for connecting to Falcon Streaming API (For example, set to app_id: SECOPS-CEF ).
   • client_id: - the client_id value copied from previous step.
   • client_secret: - the client_secret value copied from previous step.
   • send_to_syslog_server: true - enable push to Syslog server.
   • host: - the IP or hostname of the Bindplane agent.
   • port: - the port of the Bindplane agent.
5. Save the cs.falconhoseclient.cfg file.

6. Start the SIEM Connector service:

   • CentOS operating system

      sudo  
     service  
     cs.falconhoseclientd  
     start 
     

   • Ubuntu 16.04 or later operating system

      sudo  
     systemctl  
     start  
     cs.falconhoseclientd.service 
     

7. Optional: Stop the SIEM Connector service:

   • CentOS operating system

      sudo  
     service  
     cs.falconhoseclientd  
     stop 
     

   • Ubuntu 16.04 or later operating system

      sudo  
     systemctl  
     stop  
     cs.falconhoseclientd.service 
     

8. Optional: Restart the SIEM Connector service:

   • CentOS operating system

      sudo  
     service  
     cs.falconhoseclientd  
     restart 
     

   • Ubuntu 16.04 or later operating system

      sudo  
     systemctl  
     restart  
     cs.falconhoseclientd.service 
     

UDM Mapping Table

Log Field	UDM Mapping	Logic
AccountCreationTimeStamp	event.idm.read_only_udm.metadata.event_timestamp	The raw log field AccountCreationTimeStamp is renamed to event.idm.read_only_udm.metadata.event_timestamp .
AccountDomain	event.idm.read_only_udm.principal.administrative_domain	The raw log field AccountDomain is renamed to event.idm.read_only_udm.principal.administrative_domain .
AccountObjectGuid	event.idm.read_only_udm.metadata.product_log_id	The raw log field AccountObjectGuid is renamed to event.idm.read_only_udm.metadata.product_log_id .
AccountObjectSid	event.idm.read_only_udm.principal.user.windows_sid	The raw log field AccountObjectSid is renamed to event.idm.read_only_udm.principal.user.windows_sid .
AccessType	-	Not mapped to the IDM object.
action_taken	event.idm.read_only_udm.additional.fields[0].value.string_value	Part of AuditKeyValues array.
ActiveCpuCount	-	Not mapped to the IDM object.
ActiveDirectoryAuthenticationMethod	-	Not mapped to the IDM object.
ActiveDirectoryDataProtocol	-	Not mapped to the IDM object.
AddressFamily	-	Not mapped to the IDM object.
AdminStatus	-	Not mapped to the IDM object.
AllocateVirtualMemoryCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
agent-windows	event.idm.read_only_udm.target.file.full_path	Part of TargetFileName.
AgentIdString	event.idm.read_only_udm.principal.asset_id	Prefixed with CS: .
AgentLoadFlags	-	Not mapped to the IDM object.
AgentLocalTime	-	Not mapped to the IDM object.
AgentOnline AgentTimeOffset	-	Not mapped to the IDM object.
AgentVersion AggregationActivityCount AggregationEarliestTimestamp	-	Not mapped to the IDM object.
aid	event.idm.read_only_udm.principal.asset_id	Prefixed with CS: .
aip	event.idm.read_only_udm.principal.nat_ip	When _aid_is_target is false, if aip is not null, create an ip entity with the value of aip and add it to event.idm.read_only_udm.principal.nat_ip .
aipCount AllocVmEtw AllocationType	-	Not mapped to the IDM object.
AllowHardTerminate	-	Not mapped to the IDM object.
AllowStartOnDemand	-	Not mapped to the IDM object.
ApcArgument1	-	Not mapped to the IDM object.
ApcArgument2	-	Not mapped to the IDM object.
ApcContextAddress	-	Not mapped to the IDM object.
ApcContextFileName	-	Not mapped to the IDM object.
ApcContext	-	Not mapped to the IDM object.
ApplicationName ApplicationUniqueIdentifier	-	Not mapped to the IDM object.
ApplicationVersion	-	Not mapped to the IDM object.
AppIs64Bit	-	Not mapped to the IDM object.
AppName AppPath AppPathFlag	-	Not mapped to the IDM object.
AppProductId	-	Not mapped to the IDM object.
AppType	-	Not mapped to the IDM object.
AppUpdateIds	-	Not mapped to the IDM object.
AppVendor	-	Not mapped to the IDM object.
AppVersion ArchiveFileWrittenCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
AsepClass	-	Not mapped to the IDM object.
AsepFileChange AsepFlags	-	Not mapped to the IDM object.
AsepIndex	-	Not mapped to the IDM object.
AsepKeyUpdate AsepValueUpdate AsepValueType	-	Not mapped to the IDM object.
AsepWrittenCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
AssociateIndicator AssociateTreeIdWithRoot AssemblyFlags	-	Not mapped to the IDM object.
AssemblyId	-	Not mapped to the IDM object.
AssemblyName AuthenticationId	event.idm.read_only_udm.principal.user.product_object_id	Prefixed with CS: .
AuthenticationPackage AuthenticationUuid	-	Not mapped to the IDM object.
AuthenticationUuidAsString	-	Not mapped to the IDM object.
AuthenticodeHashData AuthenticodeMatch automated_remediation	assessments.automated_remediation	Part of ZeroTrustHostAssessment event.
BaseReachableTime	-	Not mapped to the IDM object.
BaseTime	-	Not mapped to the IDM object.
BatchDataNumber	-	Not mapped to the IDM object.
BatchDataTotal	-	Not mapped to the IDM object.
BatchTimestamp BatteryLevel	-	Not mapped to the IDM object.
BatteryStatus	-	Not mapped to the IDM object.
BehaviorWhitelisted benchmarks BenignCount	-	Not mapped to the IDM object.
beta_build_disabled	assessments.beta_build_disabled	Part of ZeroTrustHostAssessment event.
BinaryExecutableWrittenCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
BillingInfo BillingType	-	Not mapped to the IDM object.
BiosManufacturer BiosReleaseDate	-	Not mapped to the IDM object.
BiosVersion BITSJobCreated BootArgs	-	Not mapped to the IDM object.
BootId	-	Not mapped to the IDM object.
BootStatusDataAabEnabled	-	Not mapped to the IDM object.
BootStatusDataBootAttemptCount	-	Not mapped to the IDM object.
BootStatusDataBootGood	-	Not mapped to the IDM object.
BootStatusDataBootShutdown	-	Not mapped to the IDM object.
BootTimeFunctionalityLevel	-	Not mapped to the IDM object.
BrowserInjectedThread BundleID	-	Not mapped to the IDM object.
CallStackModuleNames CallStackModuleNamesVersion ChannelId	-	Not mapped to the IDM object.
ChannelVersion	-	Not mapped to the IDM object.
ChannelVersionRequired ChasisManufacturer	-	Not mapped to the IDM object.
ChassisType cid City CLICreationCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
ClassifiedModuleLoad CloudAssociateTreeIdWithRoot CloudErrorCode	-	Not mapped to the IDM object.
CNAMERecords CodeIntegrity	-	Not mapped to the IDM object.
CommandLine CommandSequence	-	Not mapped to the IDM object.
CompletionEventId	-	Not mapped to the IDM object.
ComputerName	event.idm.read_only_udm.principal.hostname , event.idm.read_only_udm.principal.asset.hostname	If ComputerName is not null, an empty string or a dash, create a hostname entity with the value of ComputerName and add it to event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname .
ConfigBuild ConfigIDBase	-	Not mapped to the IDM object.
ConfigIDBuild	-	Not mapped to the IDM object.
ConfigIDPlatform	-	Not mapped to the IDM object.
ConfigurationVersion	-	Not mapped to the IDM object.
ConfigStateData	-	Not mapped to the IDM object.
ConfigStateHash ConfigStateUpdate ConnectTime	-	Not mapped to the IDM object.
ConnectType	-	Not mapped to the IDM object.
Connected	-	Not mapped to the IDM object.
ConnectionCipher	-	Not mapped to the IDM object.
ConnectionCipherStrength	-	Not mapped to the IDM object.
ConnectionDirection	-	Not mapped to the IDM object.
ConnectionExchange	-	Not mapped to the IDM object.
ConnectionExchangeStrength	-	Not mapped to the IDM object.
ConnectionFlags	-	Not mapped to the IDM object.
ConnectionHash	-	Not mapped to the IDM object.
ConnectionHashStrength	-	Not mapped to the IDM object.
ConnectionProtocol	-	Not mapped to the IDM object.
ConnectionType	-	Not mapped to the IDM object.
Continent ContentSHA256HashData ContextData	-	Not mapped to the IDM object.
ContextProcessId	event.idm.read_only_udm.principal.process.product_specific_process_id , event.idm.read_only_udm.target.process.product_specific_process_id	Prefixed with CS:%{cid}:%{aid}: .
ContextThreadId	-	Not mapped to the IDM object.
ContextTimeStamp ContextTimeStamp_decimal Country CrashDumpFilePath	-	Not mapped to the IDM object.
CrashNotification CreateProcessArgs CreateProcessCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
CreateService CreateThreadNoStartImage CreationTimeStamp	-	Not mapped to the IDM object.
CriticalFileAccessed CriticalFileModified CsaProcessDataCollectionInstanceId	-	Not mapped to the IDM object.
CurrentFunctionalityLevel	-	Not mapped to the IDM object.
CurrentLocalIP	-	Not mapped to the IDM object.
CurrentSystemTags CustomerIdString CycleTime	-	Not mapped to the IDM object.
DadState	-	Not mapped to the IDM object.
DadTransmits	-	Not mapped to the IDM object.
DcName	event.idm.read_only_udm.principal.user.userid	The raw log field DcName is renamed to event.idm.read_only_udm.principal.user.userid .
DcNumAttachments	-	Not mapped to the IDM object.
DcNumBlockingPolicies	-	Not mapped to the IDM object.
DcOnline DcPropertyIdInterfaceType	-	Not mapped to the IDM object.
DcPropertyIdInterfaceVersion	-	Not mapped to the IDM object.
DcSensorInterfaceType	-	Not mapped to the IDM object.
DcSensorInterfaceVersion	-	Not mapped to the IDM object.
DcStatus DcUsbConfigurationDescriptor DcUsbDeviceConnected DcUsbDeviceDisconnected DcUsbEndpointDescriptor DcUsbHIDDescriptor DcUsbInterfaceDescriptor DCSyncAttempted Debug	-	Not mapped to the IDM object.
DefaultGatewayIP4	-	Not mapped to the IDM object.
DefaultGatewayIP6	-	Not mapped to the IDM object.
DefaultGatewayPhysicalAddress	-	Not mapped to the IDM object.
DeepHashBlacklistClassification DeepHashBlacklistVersion	-	Not mapped to the IDM object.
DeliverLocalFXToCloud DesiredAccess detectionId detectionName DetectDescription DetectId	-	Not mapped to the IDM object.
DetectName DeviceActiveConfigurationNumber	-	Not mapped to the IDM object.
DeviceConnectionStatus	-	Not mapped to the IDM object.
DeviceDescriptorNumber	-	Not mapped to the IDM object.
DeviceDescriptorSetHash	-	Not mapped to the IDM object.
DeviceDescriptorUniqueIdentifier	-	Not mapped to the IDM object.
DeviceId	-	Not mapped to the IDM object.
DeviceInstanceId	event.idm.read_only_udm.target.asset_id	Prefixed with Device Instance Id: .
DeviceManufacturer DeviceProduct DeviceProductId	-	Not mapped to the IDM object.
DevicePropertyClassName	-	Not mapped to the IDM object.
DevicePropertyClassGuid	-	Not mapped to the IDM object.
DevicePropertyDeviceDescription DevicePropertyFriendlyName	-	Not mapped to the IDM object.
DevicePropertyLocationInformation DevicePropertyManufacturer	-	Not mapped to the IDM object.
DeviceProtocol	-	Not mapped to the IDM object.
DeviceSerialNumber DeviceTimeStamp DeviceType	-	Not mapped to the IDM object.
DeviceUsbClass	-	Not mapped to the IDM object.
DeviceUsbSubclass	-	Not mapped to the IDM object.
DeviceUsbVersion	-	Not mapped to the IDM object.
DeviceVendorId	-	Not mapped to the IDM object.
DeviceVersion	-	Not mapped to the IDM object.
DirectoryCreate DirectoryCreatedCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
DirectoryEnumeratedCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
DisableRealtimeMonitoring DisallowStartIfOnBatteries	-	Not mapped to the IDM object.
DisallowStartOnRemoteAppSession	-	Not mapped to the IDM object.
DiskParentDeviceInstanceId DllCharacteristics	-	Not mapped to the IDM object.
DllInjection DlpPolicy	-	Not mapped to the IDM object.
DlpVerdict	-	Not mapped to the IDM object.
DmpFileWritten DnsRequest DnsRequestCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
DnsResponseType	-	Not mapped to the IDM object.
DnsResponseTtl	-	Not mapped to the IDM object.
DocumentFileWrittenCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
DomainName	event.idm.read_only_udm.target.hostname , event.idm.read_only_udm.target.asset.hostname , event.idm.read_only_udm.network.dns.questions[0].name	If DomainName is not null, create a hostname entity with the value of DomainName and add it to event.idm.read_only_udm.target.hostname , event.idm.read_only_udm.target.asset.hostname and event.idm.read_only_udm.network.dns.questions[0].name .
DotnetModuleFlags	-	Not mapped to the IDM object.
DotnetModuleId	-	Not mapped to the IDM object.
DotnetModuleLoadDetectInfo DownloadPath	-	Not mapped to the IDM object.
DownloadPort	-	Not mapped to the IDM object.
DownloadServer DriverLoad DualRequest	-	Not mapped to the IDM object.
EffectiveTransmissionClass Effective	-	Not mapped to the IDM object.
EfiSupported	-	Not mapped to the IDM object.
EfiVariableCustomMode	-	Not mapped to the IDM object.
EfiVariableCustomModeAttributes	-	Not mapped to the IDM object.
EfiVariableDbAttributes	-	Not mapped to the IDM object.
EfiVariableDbxAttributes	-	Not mapped to the IDM object.
EfiVariableDbxSha256Hash	-	Not mapped to the IDM object.
EfiVariableKekAttributes	-	Not mapped to the IDM object.
EfiVariableKekSha256Hash	-	Not mapped to the IDM object.
EfiVariablePkAttributes	-	Not mapped to the IDM object.
EfiVariablePkSha256Hash	-	Not mapped to the IDM object.
EfiVariableSecureBoot	-	Not mapped to the IDM object.
EfiVariableSecureBootAttributes	-	Not mapped to the IDM object.
EfiVariableSetupMode	-	Not mapped to the IDM object.
EfiVariableSetupModeAttributes	-	Not mapped to the IDM object.
EfiVariableSignatureSupport	-	Not mapped to the IDM object.
EfiVariableSignatureSupportAttributes	-	Not mapped to the IDM object.
EndpointDescriptorAddress	-	Not mapped to the IDM object.
EndpointDescriptorAttributes	-	Not mapped to the IDM object.
EndpointDescriptorInterval	-	Not mapped to the IDM object.
EndpointDescriptorMaxPacketSize	-	Not mapped to the IDM object.
EndOfProcess Entitlements ErrorEvent ErrorCode	-	Not mapped to the IDM object.
ErrorLocation	-	Not mapped to the IDM object.
ErrorReason	-	Not mapped to the IDM object.
ErrorSource	-	Not mapped to the IDM object.
ErrorStatus	-	Not mapped to the IDM object.
ErrorText	-	Not mapped to the IDM object.
EventLogCleared EventMax	-	Not mapped to the IDM object.
EventMin	-	Not mapped to the IDM object.
EventOrigin	-	Not mapped to the IDM object.
EventType	event.idm.read_only_udm.metadata.product_event_type	If event_simpleName is null and EventType is not null, create a product_event_type entity with the value of EventType and add it to event.idm.read_only_udm.metadata.product_event_type .
EtwErrorEvent EtwRawProcessId	-	Not mapped to the IDM object.
EtwRawThreadId	-	Not mapped to the IDM object.
ExecutableDeleted ExecutableDeletedCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
ExeAndServiceCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
ExitCode	-	Not mapped to the IDM object.
Exploit ExternalApiType	event.idm.read_only_udm.metadata.product_event_type , event.idm.read_only_udm.extensions.auth.auth_details	If message contains event1 , ExternalApiType is renamed to event.idm.read_only_udm.metadata.product_event_type . Otherwise, it is renamed to event.idm.read_only_udm.extensions.auth.auth_details .
Facility	-	Not mapped to the IDM object.
FailedConnectCount	-	Not mapped to the IDM object.
FalconHostLink FalconServiceComponent	-	Not mapped to the IDM object.
FalconServiceServletErrors	-	Not mapped to the IDM object.
FalconServiceServletStarts	-	Not mapped to the IDM object.
FalconServiceState	-	Not mapped to the IDM object.
FalconServiceStatus FeatureExtractionVersion	-	Not mapped to the IDM object.
FeatureVector	-	Not mapped to the IDM object.
File	-	Not mapped to the IDM object.
FileAttributes	-	Not mapped to the IDM object.
FileCreateInfo FileDeletedCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
FileDeleteInfo FileEcpBitmask	-	Not mapped to the IDM object.
FileEventType	-	Not mapped to the IDM object.
FileIdentifier FileObject	-	Not mapped to the IDM object.
FileName FileOpenInfo FileRenameInfo FileSigningTime	-	Not mapped to the IDM object.
FirewallAction	-	Not mapped to the IDM object.
FirewallChangeOption FirewallDeleteRule FirewallDeleteRuleIP4 FirewallDeleteRuleIP6 FirewallEnabled FirewallOption FirewallOptionNumericValue	-	Not mapped to the IDM object.
FirewallProfile	-	Not mapped to the IDM object.
FirewallRule FirewallRuleId FirewallSetRule FirewallSetRuleIP4 FirewallSetRuleIP6 FirmwareAnalysisErrorEvent FirmwareAnalysisErrorLocation	-	Not mapped to the IDM object.
FirmwareAnalysisErrorReason	-	Not mapped to the IDM object.
FirmwareAnalysisErrorSource	-	Not mapped to the IDM object.
FirmwareAnalysisHardwareData FirmwareAnalysisStatus FirmwareAnalysisCpuSupported	-	Not mapped to the IDM object.
FirmwareAnalysisEclControlInterfaceVersion	-	Not mapped to the IDM object.
FirmwareAnalysisEclConsumerInterfaceVersion	-	Not mapped to the IDM object.
FirmwareImageAnalyzed FirmwareRegionMeasured FirmwareSize	-	Not mapped to the IDM object.
FirmwareType	-	Not mapped to the IDM object.
FirstDiscoveredDate	-	Not mapped to the IDM object.
FirstIP4Record Flags	-	Not mapped to the IDM object.
FltCallbackData	-	Not mapped to the IDM object.
FltCompletionContext	-	Not mapped to the IDM object.
FltRelatedObjects	-	Not mapped to the IDM object.
FontBuffer	-	Not mapped to the IDM object.
FontBufferLength	-	Not mapped to the IDM object.
FontFileCount	-	Not mapped to the IDM object.
FontFileName FontLoadOperation	-	Not mapped to the IDM object.
FsOperationBlocked	event1.PatternDispositionFlags.FsOperationBlocked	Part of Event_DetectionSummaryEvent .
FsPostOpenSnapshotFile FsVolumeMounted FsVolumeUnmounted FullContext	-	Not mapped to the IDM object.
FullExceptionRecord	-	Not mapped to the IDM object.
GcpCreationTimestamp GenericFileWrittenCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
GID	-	Not mapped to the IDM object.
GrandparentCommandLine GrandparentImageFileName GrandParentBaseFileName GroupIdentity GroupRid GzipFileWritten HandleCreated	-	Not mapped to the IDM object.
HIDDescriptorCountryCode	-	Not mapped to the IDM object.
HIDDescriptorNumDescriptors	-	Not mapped to the IDM object.
HIDDescriptorVersion	-	Not mapped to the IDM object.
HIPHandlers.dll	event.idm.read_only_udm.target.file.full_path	Part of TargetFileName.
HostGroups	-	Not mapped to the IDM object.
HostHiddenStatus HostInfo HostnameChanged hostname HostProcessType	-	Not mapped to the IDM object.
HostUrl HttpRequestDetect HttpRequestHeader HttpUrl IcmpCode	-	Not mapped to the IDM object.
IcmpType	-	Not mapped to the IDM object.
id IdleSettings	-	Not mapped to the IDM object.
ImageFileName ImageSubsystem	-	Not mapped to the IDM object.
Image	-	Not mapped to the IDM object.
ImpersonatedUserName InBroadcastOctets	-	Not mapped to the IDM object.
InContext	-	Not mapped to the IDM object.
InDiscards	-	Not mapped to the IDM object.
Indicator	event1.PatternDispositionFlags.Indicator	Part of Event_DetectionSummaryEvent .
InddetMask	event1.PatternDispositionFlags.InddetMask	Part of Event_DetectionSummaryEvent .
InErrors	-	Not mapped to the IDM object.
Information	-	Not mapped to the IDM object.
InjectedDll InjectedThread InjectedThreadCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
InjectedThreadFlag	-	Not mapped to the IDM object.
InMulticastOctets	-	Not mapped to the IDM object.
InNUcastPkts	-	Not mapped to the IDM object.
InOctets	-	Not mapped to the IDM object.
InstallDate	-	Not mapped to the IDM object.
InstalledApplication InstalledUpdateExtendedStatus	-	Not mapped to the IDM object.
InstalledUpdateIds	-	Not mapped to the IDM object.
InstalledUpdates InstanceMetadata InstanceMetadataProvider	-	Not mapped to the IDM object.
InstanceMetadataRequest	-	Not mapped to the IDM object.
InstanceMetadataSignature	-	Not mapped to the IDM object.
InUcastOctets	-	Not mapped to the IDM object.
InUcastPkts	-	Not mapped to the IDM object.
InUnknownProtos	-	Not mapped to the IDM object.
IntegrityLevel	-	Not mapped to the IDM object.
InterfaceAlias	-	Not mapped to the IDM object.
InterfaceDescription	-	Not mapped to the IDM object.
InterfaceFlags	-	Not mapped to the IDM object.
InterfaceGuid	-	Not mapped to the IDM object.
InterfaceIdentifier	-	Not mapped to the IDM object.
InterfaceIndex	-	Not mapped to the IDM object.
InterfaceMtu	-	Not mapped to the IDM object.
InterfaceType	-	Not mapped to the IDM object.
InterfaceVersion	-	Not mapped to the IDM object.
InjectedDllCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
InjectedThreadFlag	-	Not mapped to the IDM object.
InkDiv.dll	event.idm.read_only_udm.target.file.full_path	Part of ExecutablesWritten .
InkObj.dll	event.idm.read_only_udm.target.file.full_path	Part of ExecutablesWritten .
InMulticastPkts	-	Not mapped to the IDM object.
InOctets	-	Not mapped to the IDM object.
InUcastPkts	-	Not mapped to the IDM object.
IOARuleGroupName IOARuleInstanceID	-	Not mapped to the IDM object.
IOARuleInstanceVersion	-	Not mapped to the IDM object.
IOARuleName IOServiceClass	-	Not mapped to the IDM object.
IOServiceName	-	Not mapped to the IDM object.
IOServicePath	-	Not mapped to the IDM object.
IOServiceProperties	-	Not mapped to the IDM object.
IOServiceRegister IoSessionConnected IoSessionLoggedOn IpEntryFlags	-	Not mapped to the IDM object.
IrpFlags	-	Not mapped to the IDM object.
IsCpuDataCommonOnAllCores	-	Not mapped to the IDM object.
IsNorthBridgeSupported	-	Not mapped to the IDM object.
IsOnClearCaseMvfs	-	Not mapped to the IDM object.
IsOnNetwork IsOnRemovableDisk IsOn	-	Not mapped to the IDM object.
IsRemote	-	Not mapped to the IDM object.
IsSouthBridgeSupported	-	Not mapped to the IDM object.
IsTransactedFile	-	Not mapped to the IDM object.
IsUnique	-	Not mapped to the IDM object.
JavaInjectedThread JarFileWritten KernelModeLoadImage KernelTime	-	Not mapped to the IDM object.
KextUnload K8SCreationTimestamp K8SDetectionEvent LanguageId	-	Not mapped to the IDM object.
LastAdded	-	Not mapped to the IDM object.
LastDiscoveredBy	-	Not mapped to the IDM object.
LastDisplayed	-	Not mapped to the IDM object.
LastLoggedOnHost	-	Not mapped to the IDM object.
LastUpdateInstalledTime	-	Not mapped to the IDM object.
LateralMovement	-	Not mapped to the IDM object.
LdapSearchAttributes	-	Not mapped to the IDM object.
LdapSearchBaseObjectSample	-	Not mapped to the IDM object.
LdapSearchFilterSample	-	Not mapped to the IDM object.
LdapSearchFilterShape	-	Not mapped to the IDM object.
LdapSearchQueryClassification	-	Not mapped to the IDM object.
LdapSearchQueryToken	-	Not mapped to the IDM object.
LdapSearchScope	-	Not mapped to the IDM object.
LdapSearchSizeLimit	-	Not mapped to the IDM object.
LdapSecurityType	-	Not mapped to the IDM object.
LightningLatencyInfo LightningLatencyState	-	Not mapped to the IDM object.
Line	-	Not mapped to the IDM object.
LinkLocalAddressBehavior	-	Not mapped to the IDM object.
LinkLocalAddressTimeout	-	Not mapped to the IDM object.
LinkName LocalAccount	-	Not mapped to the IDM object.
LocalAddressIP4 LocalAddressIP6 LocalAddressMaskIP4	-	Not mapped to the IDM object.
LocalAddressMaskIP6	-	Not mapped to the IDM object.
LocalAdminAccess	-	Not mapped to the IDM object.
LocalIpAddressIP4 LocalIpAddressIP6 LocalIpAddressRemovedIP4 LocalIpAddressRemovedIP6 LocalPort LocalSession	-	Not mapped to the IDM object.
localipCount LockScreenEnabled	-	Not mapped to the IDM object.
LockScreenStatus LogoffTime LogonDomain LogonId	-	Not mapped to the IDM object.
LogonInfo	security_result.summary	Sets event_type to USER_LOGIN .
LogonServer LogonTime LogonType	event.idm.read_only_udm.extensions.auth.mechanism	Mapped to a UDM enum value based on the LogonType value.
LogoffTime LsassHandleFromUnsignedModule MAC	event.idm.read_only_udm.principal.mac	Converted to lowercase and colons are replaced with hyphens.
MACAddress	event.idm.read_only_udm.principal.mac	Hyphens are replaced with colons.
MACPrefix	-	Not mapped to the IDM object.
MachOFileWritten MachOSubType	-	Not mapped to the IDM object.
MachineDn MachineDomain MajorFunction	-	Not mapped to the IDM object.
MajorVersion	-	Not mapped to the IDM object.
Malicious	-	Not mapped to the IDM object.
ManagedPdbBuildPath MappedFromUserMode	-	Not mapped to the IDM object.
MaxReassemblySize	-	Not mapped to the IDM object.
MaxRouterAdvertisementInterval	-	Not mapped to the IDM object.
MaxThreadCount	-	Not mapped to the IDM object.
MD5HashData	event.idm.read_only_udm.target.file.md5 , event.idm.read_only_udm.target.process.file.md5	If MD5HashData is a valid MD5 hash and not all zeros, create an MD5 hash entity with the value of MD5HashData and add it to event.idm.read_only_udm.target.file.md5 and event.idm.read_only_udm.target.process.file.md5 .
MD5String MediaConnectState	-	Not mapped to the IDM object.
MediaType	-	Not mapped to the IDM object.
MemoryAvailable	-	Not mapped to the IDM object.
MemoryRegionProtection	-	Not mapped to the IDM object.
MemoryRegionStart	-	Not mapped to the IDM object.
MemoryTotal	-	Not mapped to the IDM object.
MmioDataSmiEn	-	Not mapped to the IDM object.
MmioDataTco1Cnt	-	Not mapped to the IDM object.
MLModelVersion	-	Not mapped to the IDM object.
MobileDetection MobileDetectionId	-	Not mapped to the IDM object.
MobileOsIntegrityIntact	-	Not mapped to the IDM object.
MobileOsIntegrityStatus MobilePowerStats MoboManufacturer	-	Not mapped to the IDM object.
MoboProductName	-	Not mapped to the IDM object.
ModelPrediction	-	Not mapped to the IDM object.
ModuleBaseAddress	-	Not mapped to the IDM object.
ModuleCharacteristics	-	Not mapped to the IDM object.
ModuleDetectInfo ModuleLoadCount	-	Not mapped to the IDM object.
ModuleLoadMechanism	-	Not mapped to the IDM object.
ModuleLoadTelemetryClassification	-	Not mapped to the IDM object.
ModuleNativePath	-	Not mapped to the IDM object.
ModuleSize	-	Not mapped to the IDM object.
ModifyServiceBinary MostRecentActivityTimeStamp	-	Not mapped to the IDM object.
MotwWritten mskssrv.sys	event.idm.read_only_udm.principal.process.file.full_path	Part of OriginalFilename.
MultipleInstancesPolicy	-	Not mapped to the IDM object.
name namespace NativePdbBuildPath	-	Not mapped to the IDM object.
NegateInterface	-	Not mapped to the IDM object.
NegateLocalAddress	-	Not mapped to the IDM object.
NegateRemoteAddress	-	Not mapped to the IDM object.
NeighborList	-	Not mapped to the IDM object.
NeighborListIP4 NeighborListIP6 NeighborName NetLuidIndex	-	Not mapped to the IDM object.
NetShareAdd NetShareDelete NetShareSecurityModify NetworkBindCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
NetworkCapableAsepWriteCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
NetworkCloseCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
NetworkCloseIP4 NetworkCloseIP6 NetworkConnectCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
NetworkConnectCountUdp	security_result.detection_fields[0].value	Part of EndOfProcess event.
NetworkConnectIP4 NetworkConnectIP6 NetworkContainmentState NetworkInterfaceGuid	-	Not mapped to the IDM object.
NetworkListenCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
NetworkListenIP4 NetworkListenIP6 NetworkModuleLoadCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
NetworkRecvAcceptCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
NetworkReceiveAcceptIP4 NetworkReceiveAcceptIP6 NewExecutableRenamed NewExecutableWritten NewExecutableWrittenCount	security_result.detection_fields[0].value	Part of EndOfProcess event.
NewFileIdentifier	-	Not mapped to the IDM object.
NewScriptWritten NlMtu	-	Not mapped to the IDM object.
NorthBridgeDeviceId	-	Not mapped to the IDM object.
NorthBridgeVendorId	-	Not mapped to the IDM object.
NumberOfMeasurements	-	Not mapped to the IDM object.
OciContainerId	-	Not mapped to the IDM object.
OciContainerTelemetry OciContainersStartedCount	-	Not mapped to the IDM object.
OciContainersStoppedCount	-	Not mapped to the IDM object.
OleFileWritten OnLinkPrefixLength	-	Not mapped to the IDM object.
OoxmlFileWritten OperStatus	-	Not mapped to the IDM object.
OperationFlags	-	Not mapped to the IDM object.
OperationName OriginalContentLength	-	Not mapped to the IDM object.
OriginalEventTimeStamp	-	Not mapped to the IDM object.
OriginalFilename OriginalParentAuthenticationId	-	Not mapped to the IDM object.
OriginalUserName OriginalUserSid OsfmDownloadComplete OsVersionInfo OU OutBroadcastOctets	-	Not mapped to the IDM object.
OutDiscards	-	Not mapped to the IDM object.
OutErrors	-	Not mapped to the IDM object.
OutMulticastOctets	-	Not mapped to the IDM object.
OutNUcastPkts	-	Not mapped to the IDM object.
OutOctets	-	Not mapped to the IDM object.
OutUcastOctets	-	Not mapped to the IDM object.
OutUcastPkts	-	Not mapped to the IDM object.
PackedExecutableWritten Parameter64_1	-	Not mapped to the IDM object.
Parameter64_2	-	Not mapped to the IDM object.
Parameter64_3	-	Not mapped to the IDM object.
ParameterSizedBuffer_1	-	Not mapped to the IDM object.
Parameter1	-	Not mapped to the IDM object.
Parameter2	-	Not mapped to the IDM object.
Parameter3	-	Not mapped to the IDM object.
ParentAuthenticationId	-	Not mapped to the IDM object.
ParentBaseFileName ParentCommandLine	event1.ParentCommandLine	Part of Event_DetectionSummaryEvent .
ParentHubInstanceId	-	Not mapped to the IDM object.
ParentHubPort	-	Not mapped to the IDM object.
ParentImageFileName	event.idm.read_only_udm.principal.process.file.full_path , event1.ParentImageFileName	Part of Event_DetectionSummaryEvent .
ParentProcessId	event.idm.read_only_udm.principal.process.product_specific_process_id , event1.ParentProcessId	Prefixed with CS:%{cid}:%{aid}: . Part of Event_DetectionSummaryEvent .
PasswordLastSet	-	Not mapped to the IDM object.
PathMtuDiscoveryTimeout	-	Not mapped to the IDM object.
PatternDispositionFlags	-	Not mapped to the IDM object.
PatternDispositionValue `PatternDisposition

Need more help? Get answers from Community members and Google SecOps professionals.