Table of Contents:
The attributes used in the policy conditions are mapped between the Chronicle and Resolution Intelligence Cloud as follows:
Chronicle | Resolution Intelligence Cloud |
security.events.metadata.eventType | events.metadata.eventType |
security.events.metadata.productEventType | events.metadata.productEventType |
security.events.metadata.productName | events.metadata.productName |
security.events.metadata.vendorName | events.metadata.vendorName |
security.events.network.dnsDomain | events.network.dnsDomain |
security.events.network.email.from | events.network.email.from |
security.events.network.email.to | events.network.email.to |
security.events.observer.hostname | events.observer.hostname |
security.events.principal.asset.hostname | events.principal.asset.hostname |
security.events.principal.hostname | events.principal.hostname |
security.events.principal.ip | events.principal.ip |
security.events.principal.process.commandLine | events.principal.process.commandLine |
security.events.principal.process.file.fullPath | events.principal.process.file.fullPath |
security.events.principal.process.file.names | events.principal.process.file.names |
security.events.principal.process.file.sha256 | events.principal.process.file.sha256 |
security.events.principal.processAncestors.commandLine | events.principal.processAncestors.commandLine |
security.events.principal.user.userid | events.principal.user.userid |
security.events.processAncestors.commandLine | events.processAncestors.commandLine |
security.events.processAncestors.file.fullPath | events.processAncestors.file.fullPath |
security.events.processAncestors.file.names | events.processAncestors.file.names |
security.events.processAncestors.file.sha256 | events.processAncestors.file.sha256 |
security.events.securityResult.action | events.securityResult.action |
security.events.securityResult.category | events.securityResult.category |
security.events.securityResult.summary | events.securityResult.summary |
security.events.securityResult.threatName | events.securityResult.threatName |
security.events.target.application | events.target.application |
security.events.target.asset.hostname | events.target.asset.hostname |
security.events.target.file.fullPath | events.target.file.fullPath |
security.events.target.file.names | events.target.file.names |
security.events.target.file.sha256 | events.target.file.sha256 |
security.events.target.hostname | events.target.hostname |
security.events.target.ip | events.target.ip |
security.events.target.port | events.target.port |
security.events.target.process.command_line | events.target.process.command_line |
security.events.target.process.file.fullPath | events.target.process.file.fullPath |
security.events.target.process.file.names | events.target.process.file.names |
security.events.target.process.file.sha256 | events.target.process.file.sha256 |
security.events.target.processAncestors.commandLine | events.target.processAncestors.commandLine |
security.events.target.processAncestors.file.fullPath | events.target.processAncestors.file.fullPath |
security.events.target.processAncestors.file.names | events.target.processAncestors.file.names |
security.events.target.processAncestors.file.sha256 | events.target.processAncestors.file.sha256 |
security.events.target.resource.name | events.target.resource.name |
security.events.target.resource.resourceType | events.target.resource.resourceType |
security.events.target.resource.type | events.target.resource.type |
security.events.target.url | events.target.url |
security.events.target.user.department | events.target.user.department |
security.events.target.user.title | events.target.user.title |
security.events.target.user.userid | events.target.user.userid |
Comments
0 comments
Please sign in to leave a comment.