Collect LimaCharlie EDR logs

Supported in:

Google secops SIEM

This document explains how to ingest the LimaCharlie EDR logs to Google Security Operations using Google Cloud Storage. The parser extracts events from JSON formatted logs, normalizes fields into the UDM, and handles both top-level and nested events. It specifically parses various event types, including DNS requests, process creation, file modifications, network connections, and registry changes, mapping relevant fields to their Unified Data Model (UDM) equivalents and enriching the data with LimaCharlie specific context.

Before you begin

Make sure you have the following prerequisites:

Google SecOps instance
Privileged access to Google Cloud
Privileged access to LimaCharlie

Create a Google Cloud Storage Bucket

Sign in to the Google Cloud console.
Go to the Cloud Storage Bucketspage.

Go to Buckets
Click Create.
On the Create a bucketpage, enter your bucket information. After each of the following steps, click Continueto proceed to the next step:
1. In the Get startedsection, do the following:
  - Enter a unique name that meets the bucket name requirements (for example, cloudrun-logs).
  - To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloadssection, and then select Enable Hierarchical namespace on this bucket.
  Note: You can't enable hierarchical namespace in an existing bucket.
  - To add a bucket label, click the expander arrow to expand the Labelssection.
  - Click Add label, and specify a key and a value for your label.
2. In the Choose where to store your datasection, do the following:
  - Select a Location type.
  - Use the location type's menu to select a Locationwhere object data within your bucket will be permanently stored.
  Note: If you select the dual-regionlocation type, you can also choose to enable turbo replicationby using the relevant checkbox.
  - To set up cross-bucket replication, expand the Set up cross-bucket replicationsection.
3. In the Choose a storage class for your datasection, either select a default storage classfor the bucket, or select Autoclassfor automatic storage class management of your bucket's data.
4. In the Choose how to control access to objectssection, select notto enforce public access prevention, and select an access control modelfor your bucket's objects.
Note: If public access prevention is already enforced by your project's organization policy, the Prevent public accesscheckbox is locked.
1. In the Choose how to protect object datasection, do the following:
  - Select any of the options under Data protectionthat you want to set for your bucket.
  - To choose how your object data will be encrypted, click the Data encryptionexpander arrow, and then select a Data encryption method.
Click Create.

Configure Log Export in LimaCharlie EDR

Sign in to the LimaCharlieportal.
Select Outputsfrom the left menu.
Click Add Output.
Choose output stream: Select Events.
Choose output destination: Select Google Cloud Storage.
Provide the following configuration details:
- Bucket: Path to the Google Cloud Storage bucket.
- Secret Key: Secret json key identifying a service account.
- Sec per File: Number of seconds after which a file is cut and uploaded.
- Compression: Set to False.
- Indexing: Set to False.
- Dir: Directory prefix where to output the files on the remote host.
Click Save output.

Set up feeds

To configure a feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed namefield, enter a name for the feed (for example, Limacharlie EDR Logs).
Select Google Cloud Storage V2as the Source type.
Select LimaCharlieas the Log type.
Click Get Service Accountas the Chronicle Service Account.
Click Next.
Specify values for the following input parameters:
- Storage Bucket URI: Google Cloud Storage bucket URL in gs://my-bucket/<value> format..
- Source deletion options: Select deletion option according to your preference.
Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account. * Maximum File Age: Includes files modified in the last number of days. Default is 180 days. * Asset namespace: The asset namespace . * Ingestion labels: The label applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalizescreen, and then click Submit.

UDM mapping table

Log Field	UDM Mapping	Logic
`cat`	`security_result.summary`	Renamed from `cat` . Applies when `detect` is not empty.
`detect.event.COMMAND_LINE`	`principal.process.command_line`	Renamed from `detect.event.COMMAND_LINE` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.COMMAND_LINE`	`principal.process.command_line`	Renamed from `detect.event.COMMAND_LINE` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.FILE_PATH`	`principal.process.file.full_path`	Renamed from `detect.event.FILE_PATH` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.FILE_PATH`	`principal.process.file.full_path`	Renamed from `detect.event.FILE_PATH` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.HASH`	`principal.process.file.sha256`	Renamed from `detect.event.HASH` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.HASH`	`principal.process.file.sha256`	Renamed from `detect.event.HASH` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.HASH_MD5`	`principal.process.file.md5`	Renamed from `detect.event.HASH_MD5` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.HASH_SHA1`	`principal.process.file.sha1`	Renamed from `detect.event.HASH_SHA1` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PARENT.COMMAND_LINE`	`principal.process.command_line`	Renamed from `detect.event.PARENT.COMMAND_LINE` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PARENT.COMMAND_LINE`	`principal.process.parent_process.command_line`	Renamed from `detect.event.PARENT.COMMAND_LINE` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PARENT.FILE_PATH`	`principal.process.file.full_path`	Renamed from `detect.event.PARENT.FILE_PATH` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PARENT.FILE_PATH`	`principal.process.parent_process.file.full_path`	Renamed from `detect.event.PARENT.FILE_PATH` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PARENT.HASH`	`principal.process.file.sha256`	Renamed from `detect.event.PARENT.HASH` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PARENT.HASH`	`principal.process.parent_process.file.sha256`	Renamed from `detect.event.PARENT.HASH` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PARENT_PROCESS_ID`	`principal.process.pid`	Renamed from `detect.event.PARENT_PROCESS_ID` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PARENT_PROCESS_ID`	`principal.process.parent_process.pid`	Renamed from `detect.event.PARENT_PROCESS_ID` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PROCESS_ID`	`target.process.pid`	Renamed from `detect.event.PROCESS_ID` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.PROCESS_ID`	`principal.process.pid`	Renamed from `detect.event.PROCESS_ID` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect.event.USER_NAME`	`principal.user.userid`	Renamed from `detect.event.USER_NAME` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is not empty.
`detect_mtd.description`	`security_result.description`	Renamed from `detect_mtd.description` . Applies when `detect` is not empty.
`detect_mtd.level`	`security_result.severity`	Copied from `detect_mtd.level` and converted to uppercase. Applies when `detect` is not empty.
`event.COMMAND_LINE`	`principal.process.command_line`	Renamed from `event.COMMAND_LINE` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.COMMAND_LINE`	`principal.process.command_line`	Renamed from `event.COMMAND_LINE` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.DLL`	`target.file.full_path`	Copied from `event.DLL` . Applies when `event_type` is `SERVICE_CHANGE` .
`event.DOMAIN_NAME`	`network.dns.questions.0.name` , `network.dns.answers.0.name`	Renamed to `a.name` , then copied to `q.name` , then merged into `network.dns.questions` and `network.dns.answers` arrays. Applies when `event_type` is `DNS_REQUEST` .
`event.DNS_TYPE`	`network.dns.answers.0.type`	Renamed to `a.type` , then merged into `network.dns.answers` array. Applies when `event_type` is `DNS_REQUEST` .
`event.ERROR`	`security_result.severity_details`	Copied from `event.ERROR` . Applies when `event.ERROR` is not empty.
`event.EXECUTABLE`	`target.process.command_line`	Copied from `event.EXECUTABLE` . Applies when `event_type` is `SERVICE_CHANGE` .
`event.FILE_PATH`	`target.file.full_path`	Renamed from `event.FILE_PATH` . Applies when `event_type` is one of `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , or `FILE_READ` and `detect` is empty.
`event.FILE_PATH`	`principal.process.file.full_path`	Renamed from `event.FILE_PATH` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.FILE_PATH`	`target.process.file.full_path`	Renamed from `event.FILE_PATH` . Applies when `event_type` is one of `NEW_PROCESS` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.HASH`	`target.file.sha256`	Renamed from `event.HASH` . Applies when `event_type` is one of `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , or `FILE_READ` and `detect` is empty.
`event.HASH`	`principal.process.file.sha256`	Renamed from `event.HASH` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.HASH`	`target.process.file.sha256`	Renamed from `event.HASH` . Applies when `event_type` is one of `NEW_PROCESS` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.HASH_MD5`	`principal.process.file.md5`	Renamed from `event.HASH_MD5` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.HASH_SHA1`	`principal.process.file.sha1`	Renamed from `event.HASH_SHA1` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.IP_ADDRESS`	`network.dns.answers.0.data`	Renamed to `a.data` , then merged into `network.dns.answers` array. Applies when `event_type` is `DNS_REQUEST` and `event.IP_ADDRESS` is not empty.
`event.MESSAGE_ID`	`network.dns.id`	Renamed from `event.MESSAGE_ID` . Applies when `event_type` is `DNS_REQUEST` .
`event.NETWORK_ACTIVITY[].DESTINATION.IP_ADDRESS`	`target.ip`	Merged from `event.NETWORK_ACTIVITY[].DESTINATION.IP_ADDRESS` . Applies when `event_type` is `NETWORK_CONNECTIONS` .
`event.NETWORK_ACTIVITY[].SOURCE.IP_ADDRESS`	`principal.ip`	Merged from `event.NETWORK_ACTIVITY[].SOURCE.IP_ADDRESS` . Applies when `event_type` is `NETWORK_CONNECTIONS` .
`event.PARENT.COMMAND_LINE`	`principal.process.command_line`	Renamed from `event.PARENT.COMMAND_LINE` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PARENT.COMMAND_LINE`	`principal.process.parent_process.command_line`	Renamed from `event.PARENT.COMMAND_LINE` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PARENT.FILE_PATH`	`principal.process.file.full_path`	Renamed from `event.PARENT.FILE_PATH` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PARENT.FILE_PATH`	`principal.process.parent_process.file.full_path`	Renamed from `event.PARENT.FILE_PATH` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PARENT.HASH`	`principal.process.file.sha256`	Renamed from `event.PARENT.HASH` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PARENT.HASH`	`principal.process.parent_process.file.sha256`	Renamed from `event.PARENT.HASH` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PARENT_PROCESS_ID`	`principal.process.pid`	Renamed from `event.PARENT_PROCESS_ID` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PARENT_PROCESS_ID`	`principal.process.parent_process.pid`	Renamed from `event.PARENT_PROCESS_ID` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PROCESS_ID`	`target.process.pid`	Renamed from `event.PROCESS_ID` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.PROCESS_ID`	`principal.process.pid`	Renamed from `event.PROCESS_ID` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`event.REGISTRY_KEY`	`target.registry.registry_key`	Copied from `event.REGISTRY_KEY` . Applies when `event_type` is `REGISTRY_WRITE` .
`event.REGISTRY_VALUE`	`target.registry.registry_value_data`	Copied from `event.REGISTRY_VALUE` . Applies when `event_type` is `REGISTRY_WRITE` .
`event.SVC_DISPLAY_NAME`	`metadata.description`	Copied from `event.SVC_DISPLAY_NAME` . Applies when `event_type` is `SERVICE_CHANGE` .
`event.SVC_NAME`	`target.application`	Copied from `event.SVC_NAME` . Applies when `event_type` is `SERVICE_CHANGE` .
`event.USER_NAME`	`principal.user.userid`	Renamed from `event.USER_NAME` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`routing.event_time`	`metadata.event_timestamp`	Parsed as a timestamp from `routing.event_time` using either UNIX_MS or ISO8601 format.
`routing.event_type`	`metadata.product_event_type`	Copied from `routing.event_type` .
`routing.ext_ip`	`principal.ip`	Copied from `routing.ext_ip` . Applies when `routing.ext_ip` is not empty.
`routing.hostname`	`principal.hostname`	Copied from `routing.hostname` . Applies when `routing.hostname` is not empty.
`routing.int_ip`	`principal.ip`	Copied from `routing.int_ip` . Applies when `routing.int_ip` is not empty.
`routing.parent`	`target.process.product_specific_process_id`	Prepended with "LC:" from `routing.parent` . Applies when `detect` is not empty.
`routing.parent`	`principal.process.product_specific_process_id`	Prepended with "LC:" from `routing.parent` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `routing.this` is empty and `routing.parent` is not empty.
`routing.this`	`principal.process.product_specific_process_id`	Prepended with "LC:" from `routing.this` . Applies when `event_type` is one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `detect` is empty.
`routing.this`	`principal.process.product_specific_process_id`	Prepended with "LC:" from `routing.this` . Applies when `event_type` is not one of `NEW_PROCESS` , `NEW_DOCUMENT` , `FILE_MODIFIED` , `FILE_DELETE` , `FILE_CREATE` , `FILE_READ` , `MODULE_LOAD` , `TERMINATE_PROCESS` , or `SENSITIVE_PROCESS_ACCESS` and `routing.this` is not empty. Set to `true` when `detect` is not empty. Set to `true` when `detect` is not empty and `detect_mtd.level` is one of `high` , `medium` , or `critical` . Set to a value based on `event_type` : `NETWORK_DNS` for `DNS_REQUEST` , `PROCESS_LAUNCH` for `NEW_PROCESS` , `PROCESS_UNCATEGORIZED` for `EXISTING_PROCESS` , `NETWORK_CONNECTION` for `CONNECTED` or `NETWORK_CONNECTIONS` , `REGISTRY_MODIFICATION` for `REGISTRY_WRITE` , `SERVICE_MODIFICATION` for `SERVICE_CHANGE` , `FILE_UNCATEGORIZED` for `NEW_DOCUMENT` , `FILE_READ` for `FILE_READ` , `FILE_DELETION` for `FILE_DELETE` , `FILE_CREATION` for `FILE_CREATE` , `FILE_MODIFICATION` for `FILE_MODIFIED` , `PROCESS_MODULE_LOAD` for `MODULE_LOAD` , `PROCESS_TERMINATION` for `TERMINATE_PROCESS` , `STATUS_UNCATEGORIZED` for `CLOUD_NOTIFICATION` or `RECEIPT` , `PROCESS_UNCATEGORIZED` for `REMOTE_PROCESS_HANDLE` or `NEW_REMOTE_THREAD` , or `GENERIC_EVENT` otherwise. Set to "LimaCharlie EDR". Set to "LimaCharlie". Set to "DNS" when `event_type` is `DNS_REQUEST` . Set to "ERROR" when `event.ERROR` is not empty. Copied from `event.HOST_NAME` . Applies when `event_type` is `CONNECTED` .

Need more help? Get answers from Community members and Google SecOps professionals.