From 9ccd7ce27b8b32a398fadf2aa5e8b08f58f33049 Mon Sep 17 00:00:00 2001
From: Taylor <taylor.walton@socfortress.co>
Date: Fri, 10 May 2024 10:43:44 -0500
Subject: [PATCH] chore: Remove unused docker-compose file for SOC Fortress

---
 .../SOCFORTRESS_docker-compose.yml            |    8 -
 .../data/SOCFORTRESS/cs.falconhoseclient.cfg  | 1280 -----------------
 2 files changed, 1288 deletions(-)
 delete mode 100644 backend/data/SOCFORTRESS/SOCFORTRESS_docker-compose.yml
 delete mode 100644 backend/data/SOCFORTRESS/cs.falconhoseclient.cfg

diff --git a/backend/data/SOCFORTRESS/SOCFORTRESS_docker-compose.yml b/backend/data/SOCFORTRESS/SOCFORTRESS_docker-compose.yml
deleted file mode 100644
index 5e0e09fa..00000000
--- a/backend/data/SOCFORTRESS/SOCFORTRESS_docker-compose.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-version: "3.8"
-
-services:
-    crowdstrike-connector-SOCFORTRESS:
-        image: ghcr.io/socfortress/crowdstrike-connector
-        volumes:
-            - /opt/CoPilot/data/data/SOCFORTRESS/cs.falconhoseclient.cfg:/opt/crowdstrike/etc/cs.falconhoseclient.cfg
-        restart: unless-stopped
diff --git a/backend/data/SOCFORTRESS/cs.falconhoseclient.cfg b/backend/data/SOCFORTRESS/cs.falconhoseclient.cfg
deleted file mode 100644
index 7164d8a7..00000000
--- a/backend/data/SOCFORTRESS/cs.falconhoseclient.cfg
+++ /dev/null
@@ -1,1280 +0,0 @@
-[Settings]
-version = 3
-api_url = https://api.laggar.gcw.crowdstrike.com/sensors/entities/datafeed/v2
-request_token_url = https://api.laggar.gcw.crowdstrike.com/oauth2/token
-app_id = SIEM-Connector-v2.0.0
-
-enable_correlation_id = false
-format_floats_as_scientific = true
-
-# API Client ID
-client_id = 59b2a0df58364db2a5772b1d6f3dd60b
-# API Client Secret
-client_secret = fVR354s9rhb8a2UDdCmpGO0ikEBnxvSLcT176Ylj
-
-# Amount of time (in seconds) we will wait for a connect to complete.
-connection_timeout = 10
-# Amount of time to wait (in seconds) for a server's response headers after fully writing the request.
-read_timeout = 30
-
-# Specify partition number 0 to n or 'all' (without quote) for all partitions
-partition = all
-
-http_proxy =
-
-# Output formats
-# Supported formats are
-#   1.syslog: will output syslog format with flat key=value pairs uses the mapping configuration below.
-;             Use syslog format if CEF/LEEF output is required.
-#   2.json: will output raw json format received from FalconHose API (default)
-output_format = syslog
-
-# Will be true regardless if Syslog is not enabled
-# If path does not exist or user has no permission, log file will be used
-output_to_file = false
-output_path = /var/log/crowdstrike/falconhoseclient/output
-
-# Offset file full filepath and filename
-offset_path = /var/log/crowdstrike/falconhoseclient/stream_offsets
-
-[Output_File_Rotation]
-# If the output is writing to a file, then the settings below will govern output file rotation
-#
-# If true, then the rotation rules will apply. If not, the client will continue to write to the same file.
-rotate_file = true
-# Maximum individual output file size in MB
-max_size = 500
-# Number of backups of the output file to be stored
-max_backups = 10
-# Maximum age of backup output files before it is deleted in DAYS
-max_age = 30
-
-[Logging]
-verbose_log = true
-# Maximum individual log file size in MB
-max_size = 500
-# Number of backups to be stored
-max_backups = 10
-# Maximum age of backup files before it is deleted in DAYS
-max_age = 30
-
-[Syslog]
-send_to_syslog_server = true
-host = ashgrl02.socfortress.local
-port = 5556
-protocol = tcp
-
-# CEF/LEEF Headers, header_prefix will be appended before any other header information
-# Within each mapping section, we can add __header.{n} (note double underscore) where n is consecutive integer
-# starting with 0 which will be added sequentially.
-# Value of headers can be:
-#   1. As specified: enclose by single-quote
-#   2. Field value: just specify which field name
-header_delim = |
-header_prefix = CEF:0|CrowdStrike|FalconHost|1.0|
-
-# Character Escaping Setting
-# Syntax Guidelines:
-#   - Enclose characters with double-quote i.e. "|"
-#   - From and To characters are delimited by colon
-#   - Character(s) that needs to be escaped is placed on the left side of a colon (:) and character to replace with is on the right i.e. "from":"to"
-#   - Multiple character escape setting is delimited by a common i.e. "from1":"to1","from2":"to2" and so on
-#   - header_prefix setting (above) will not be escaped
-escape_header = "|":"\|","\\":"\\\\"
-escape_ext = "\\":"\\\\","=":"\=","\n":"\\n","\r":"\\r"
-
-# Delimiter separating key and value, example: if the delimiter is '='(equal): filename=abc.txt
-key_val_delim = =
-
-# Delimiter separating 2 key-value pairs , example: if the delimiter is ','(comma): filename=abc.txt,domain=www.google.com
-# Note: For space just leave it empty
-field_delim =
-
-val_enclosure =
-
-# These fields will be converted to time format, field name should be the key on the mapping section (RFC3339)
-time_fields = deviceCustomDate1
-time_format = MMM dd yyyy HH:mm:ss
-
-# This will be use for filtering
-event_type_field = metadata.eventType
-event_subtype_field = event.subType
-
-# Max length of syslog line in bytes
-max_length = 2048
-
-# Send retry interval in seconds (applicable only for TCP)
-retry_interval_secs = 10
-
-# Static order fields
-keys_ordered = true
-
-[EventTypeCollection]
-DetectionSummaryEvent = true
-AuthActivityAuditEvent = true
-UserActivityAuditEvent = true
-HashSpreadingEvent = true
-RemoteResponseSessionStartEvent = true
-RemoteResponseSessionEndEvent = true
-FirewallMatchEvent = true
-CSPMSearchStreamingEvent = true
-CSPMIOAStreamingEvent = true
-IncidentSummaryEvent = true
-CustomerIOCEvent = true
-IdentityProtectionEvent = true
-ReconNotificationSummaryEvent = true
-ScheduledReportNotificationEvent = true
-MobileDetectionSummaryEvent = true
-XdrDetectionSummaryEvent = true
-IdpDetectionSummaryEvent = true
-
-# ----------------------------------------------------------------------------------------------------------------
-# Below configurations only applies if syslog is ENABLED (under Syslog: enabled=true
-# ----------------------------------------------------------------------------------------------------------------
-
-[EventSubTypeCollection]
-# Format: <EvenType>_<EventSubType> = true/false
-DetectionSummaryEvent_DnsRequests = true
-DetectionSummaryEvent_NetworkAccesses = true
-DetectionSummaryEvent_DocumentsAccessed = true
-DetectionSummaryEvent_ScanResults = true
-DetectionSummaryEvent_ExecutablesWritten = true
-DetectionSummaryEvent_QuarantineFiles = true
-HashSpreadingEvent_Sensors = true
-RemoteResponseSessionEndEvent_Commands = true
-MobileDetectionSummaryEvent_MobileAppsDetails = true
-MobileDetectionSummaryEvent_MobileNetworkConnections = true
-MobileDetectionSummaryEvent_MobileDnsRequests = true
-MobileDetectionSummaryEvent_MountedVolumes = true
-MobileDetectionSummaryEvent_Trampolines = true
-MobileDetectionSummaryEvent_LoadedObjects = true
-MobileDetectionSummaryEvent_ObjectiveCRuntimesAltered = true
-MobileDetectionSummaryEvent_RootAccessIndicators = true
-MobileDetectionSummaryEvent_Certificates = true
-MobileDetectionSummaryEvent_EnvironmentVariables = true
-MobileDetectionSummaryEvent_SystemProperties = true
-
-
-# FIELD MAPPINGS
-# Section name format: <EventType> OR <EventType>_<EventSubType>
-# Reserved keys:
-#       __header.{n} where n is integer starting with 0
-#
-# There are 2 possible values for the mapping
-#       1. Literals which will be used as-is (for labelling) should be enclosed by single quotes
-#       2. Value based on incoming event
-#
-# If field mapping is not specified, then field will not appear in the results
-# DetectName has been deprecated because CrowdStrike now supports MITRE framework
-
-[DetectionSummaryEvent]
-__header.0 = metadata.eventType
-__header.1 = metadata.eventType
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-cn2Label = 'ProcessId'
-cn2 = event.ProcessId
-cn1Label = 'ParentProcessId'
-cn1 = event.ParentProcessId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-fname = event.FileName
-filePath = event.FilePath
-cs5Label = 'CommandLine'
-cs5 = event.CommandLine
-fileHash = event.MD5String
-dntdom = event.MachineDomain
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-patternDisposition = event.PatternDispositionDescription
-outcome = event.PatternDispositionValue
-
-
-[DetectionSummaryEvent_DnsRequests]
-__header.0 = 'DNS Request In A Detection Summary Event'
-__header.1 = 'DNS Request In A Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-cn2Label = 'ProcessId'
-cn2 = event.ProcessId
-dhost = event.ComputerName
-duser = event.UserName
-fname = event.FileName
-filePath = event.FilePath
-dntdom = event.MachineDomain
-cs5Label = 'CommandLine'
-cs5 = event.CommandLine
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'DNS Request Time'
-deviceCustomDate1 = event.DnsRequests.LoadTime
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-patternDisposition = event.PatternDispositionDescription
-outcome = event.PatternDispositionValue
-
-
-[DetectionSummaryEvent_NetworkAccesses]
-__header.0 = 'Network Access In A Detection Summary Event'
-__header.1 = 'Network Access In A Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-cn2Label = 'ProcessId'
-cn2 = event.ProcessId
-dhost = event.ComputerName
-duser = event.UserName
-fname = event.FileName
-filePath = event.FilePath
-cs5Label = 'CommandLine'
-cs5 = event.CommandLine
-dntdom = event.MachineDomain
-src = event.NetworkAccesses.LocalAddress
-c6a2 = event.NetworkAccesses.LocalAddress
-dst = event.NetworkAccesses.RemoteAddress
-c6a3 = event.NetworkAccesses.RemoteAddress
-spt = event.NetworkAccesses.LocalPort
-dpt = event.NetworkAccesses.RemotePort
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'Network Access Timestamp'
-deviceCustomDate1 = event.NetworkAccesses.AccessTimestamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-patternDisposition = event.PatternDispositionDescription
-outcome = event.PatternDispositionValue
-
-
-[DetectionSummaryEvent_DocumentsAccessed]
-__header.0 = 'Document Access In A Detection Summary Event'
-__header.1 = 'Document Access In A Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-cn2Label = 'ProcessId'
-cn2 = event.ProcessId
-dhost = event.ComputerName
-duser = event.UserName
-fname = event.FileName
-filePath = event.FilePath
-dntdom = event.MachineDomain
-cs2Label = 'AccessedDocFileName'
-cs2 = event.DocumentsAccessed.FileName
-cs3Label = 'AccessedDocFilePath'
-cs3 = event.DocumentsAccessed.FilePath
-cs5Label = 'CommandLine'
-cs5 = event.CommandLine
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'Document Accessed Timestamp'
-deviceCustomDate1 = event.DocumentsAccessed.Timestamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-patternDisposition = event.PatternDispositionDescription
-outcome = event.PatternDispositionValue
-
-[DetectionSummaryEvent_ScanResults]
-__header.0 = 'AV Scan Results In A Detection Summary Event'
-__header.1 = 'AV Scan Results In A Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-cn2Label = 'ProcessId'
-cn2 = event.ProcessId
-dhost = event.ComputerName
-duser = event.UserName
-fname = event.FileName
-filePath = event.FilePath
-fileHash = event.MD5String
-dntdom = event.MachineDomain
-cs2Label = 'ScanResultEngine'
-cs2 = event.ScanResults.Engine
-cs1Label = 'ScanResultName'
-cs1 = event.ScanResults.ResultName
-cs4Label = 'ScanResultVersion'
-cs4 = event.ScanResults.Version
-cs5Label = 'CommandLine'
-cs5 = event.CommandLine
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-patternDisposition = event.PatternDispositionDescription
-outcome = event.PatternDispositionValue
-
-[DetectionSummaryEvent_ExecutablesWritten]
-__header.0 = 'Executable Written In A Detection Summary Event'
-__header.1 = 'Executable Written In A Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-cn2Label = 'ProcessId'
-cn2 = event.ProcessId
-dhost = event.ComputerName
-duser = event.UserName
-fname = event.FileName
-filePath = event.FilePath
-dntdom = event.MachineDomain
-cs2Label = 'WrittenExeFileName'
-cs2 = event.ExecutablesWritten.FileName
-cs3Label = 'WrittenExeFilePath'
-cs3 = event.ExecutablesWritten.FilePath
-cs5Label = 'CommandLine'
-cs5 = event.CommandLine
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ExeWrittenTimestamp'
-deviceCustomDate1 = event.ExecutablesWritten.Timestamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-patternDisposition = event.PatternDispositionDescription
-outcome = event.PatternDispositionValue
-
-[DetectionSummaryEvent_QuarantineFiles]
-__header.0 = 'Quarantined Files In A Detection Summary Event'
-__header.1 = 'Quarantined Files  In A Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-cn2Label = 'ProcessId'
-cn2 = event.ProcessId
-dhost = event.ComputerName
-duser = event.UserName
-fname = event.FileName
-filePath = event.FilePath
-dntdom = event.MachineDomain
-cs2Label = 'QuarantineFileSHA256'
-cs2 = event.QuarantineFiles.SHA256HashData
-cs3Label = 'QuarantineFilePath'
-cs3 = event.QuarantineFiles.ImageFileName
-cs5Label = 'CommandLine'
-cs5 = event.CommandLine
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ExeWrittenTimestamp'
-deviceCustomDate1 = event.ExecutablesWritten.Timestamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-patternDisposition = event.PatternDispositionDescription
-outcome = event.PatternDispositionValue
-
-[UserActivityAuditEvent]
-__header.0 = metadata.eventType
-__header.1 = event.OperationName
-__header.2 = '1'
-
-cat = metadata.eventType
-destinationTranslatedAddress = event.UserIp
-duser = event.UserId
-deviceProcessName = event.ServiceName
-cn3Label = 'Offset'
-cn3 = metadata.offset
-outcome = event.Success
-rt = metadata.eventCreationTime
-
-[AuthActivityAuditEvent]
-__header.0 = event.OperationName
-__header.1 = event.OperationName
-__header.2 = '1'
-
-cat = metadata.eventType
-destinationTranslatedAddress = event.UserIp
-duser = event.UserId
-deviceProcessName = event.ServiceName
-cn3Label = 'Offset'
-cn3 = metadata.offset
-outcome = event.Success
-deviceCustomDate1Label = 'Timestamp'
-deviceCustomDate1 = event.UTCTimestamp
-rt = metadata.eventCreationTime
-
-[HashSpreadingEvent]
-__header.0 = 'Hash Spreading Summary'
-__header.1 = 'Hash Spreading Event-Summary'
-__header.2 = '5'
-
-cat = event.ExecutionType
-deviceCustomDate1Label = 'DocAccessTimestamp'
-deviceCustomDate1 = event.AlertTime
-fname=event.FileName
-fileHash=event.SHA256String
-deviceCustomDate2Label = 'HashSpreadingEventTime'
-deviceCustomDate2 = metadata.eventCreationTime
-
-[HashSpreadingEvent_Sensors]
-__header.0 = 'Hash Spreading Sensor'
-__header.1 = 'Hash Spreading Event-Sensor Details'
-__header.2 = '5'
-
-cat = event.ExecutionType
-deviceCustomDate1Label = 'DocAccessTimestamp'
-deviceCustomDate1 = event.AlertTime
-fname = event.Sensors.Filename
-fileHash=event.SHA256String
-dhost = event.Sensors.HostnameField
-deviceCustomDate2Label = 'HashSpreadingSensorEventTime'
-deviceCustomDate2 = event.Sensors.LastWriteTime
-
-[RemoteResponseSessionStartEvent]
-__header.0 = metadata.eventType
-__header.1 = 'Remote Response Session Start event'
-__header.2 = '1'
-
-cat = metadata.eventType
-cn3Label = 'Offset'
-cn3 = metadata.offset
-rt = metadata.eventCreationTime
-dhost = event.HostnameField
-duser = event.UserName
-sessionStartTimestampLabel = 'RemoteResponseSessionStartTimestamp'
-sessionStartTimestamp = event.StartTimestamp
-
-[RemoteResponseSessionEndEvent]
-__header.0 = metadata.eventType
-__header.1 = 'Remote Response Session End event'
-__header.2 = '1'
-
-cat = metadata.eventType
-cn3Label = 'Offset'
-cn3 = metadata.offset
-rt = metadata.eventCreationTime
-dhost = event.HostnameField
-duser = event.UserName
-sessionEndTimestampLabel = 'RemoteResponseSessionEndTimestamp'
-sessionEndTimestamp = event.EndTimestamp
-
-[RemoteResponseSessionEndEvent_Commands]
-__header.0 = metadata.eventType
-__header.1 = 'Remote Response Session End event'
-__header.2 = '1'
-
-cat = metadata.eventType
-cn3Label = 'Offset'
-cn3 = metadata.offset
-rt = metadata.eventCreationTime
-dhost = event.HostnameField
-duser = event.UserName
-sessionEndTimestampLabel = 'RemoteResponseSessionEndTimestamp'
-sessionEndTimestamp = event.EndTimestamp
-cmdLabel = 'Command'
-cmd = event.Commands
-
-
-[FirewallMatchEvent]
-__header.0 = metadata.eventType
-__header.1 = 'Firewall Match event'
-__header.2 = '1'
-
-cat = metadata.eventType
-deviceId = event.DeviceId
-ipVLabel = 'IpV'
-ipV = event.IpV
-cmdLineLabel = 'Command Line'
-cmdLine = event.CommandLine
-connectionDirectionLabel = 'Connection Direction'
-connectionDirection = event.ConnectionDirection
-eventType = event.EventType
-flags = event.Flags
-hostName = event.HostName
-icmpCodeLabel = 'ICMP Code'
-icmpCode = event.ICMPCode
-icmpTypeLabel = 'ICMP Type'
-icmpType = event.ICMPType
-imageFileNameLabel = 'Image File Name'
-imageFileName = event.ImageFileName
-localAddressLabel = 'Local Address'
-localAddress = event.LocalAddress
-localPortLabel = 'Local Port'
-localPort = event.LocalPort
-matchCountLabel = 'Match Count'
-matchCount = event.MatchCount
-matchCountSinceLastReportLabel = 'Match Count Since Last Report'
-matchCount = event.MatchCountSinceLastReport
-networkProfileLabel = 'Network Profile'
-networkProfile = event.NetworkProfile
-PolicyNameLabel = 'Policy Name'
-networkProfile = event.PolicyName
-protocolLabel = 'Protocol'
-protocol = event.Protocol
-remoteAddressLabel = 'Remote Address'
-remoteAddress = event.RemoteAddress
-remotePortLabel = 'Remote Port'
-remotePort = event.RemotePort
-ruleActionLabel = 'Rule Action'
-ruleAction = event.RuleAction
-ruleDescriptionLabel = 'Rule Description'
-ruleDescription = event.RuleDescription
-ruleGroupNameLabel = 'Rule Group Name'
-ruleGroupName = event.RuleGroupName
-ruleNameLabel = 'Rule Name'
-ruleName = event.RuleName
-statusLabel = 'Status'
-status = event.Status
-cn3Label = 'Offset'
-cn3 = metadata.offset
-rt = metadata.eventCreationTime
-
-
-[CSPMSearchStreamingEvent]
-__header.0 = metadata.eventType
-__header.1 = 'CSPM Search Streaming event'
-__header.2 = '1'
-
-cat = metadata.eventType
-accountIdLabel = 'AccountId'
-accountId = event.AccountId
-regionLabel = 'Region'
-region = event.Region
-resourceIdLabel = 'ResourceId'
-resourceId = event.ResourceId
-resourceIdTypeLabel = 'ResourceIdType'
-resourceIdType = event.ResourceIdType
-resourceNameLabel = 'ResourceName'
-resourceName = event.ResourceName
-resourceCreateTimeLabel = 'ResourceCreateTime'
-resourceCreateTime = event.ResourceCreateTime
-policyStatementLabel = 'PolicyStatement'
-policyStatement = event.PolicyStatement
-severityNameLabel = 'SeverityName'
-severityName = event.SeverityName
-cloudPlatformLabel = 'CloudPlatform'
-cloudPlatform = event.CloudPlatform
-cloudServiceLabel = 'CloudService'
-cloudService = event.CloudService
-dispositionLabel = 'Disposition'
-disposition = event.Disposition
-resourceUrlLabel = 'ResourceUrl'
-resourceUrl = event.ResourceUrl
-findingLabel = 'Finding'
-finding = event.Finding
-resourceAttributesLabel = 'ResourceAttributes'
-resourceAttributes = event.ResourceAttributes
-tagsLabel = 'Tags'
-tags = event.Tags
-timestampLabel = 'Timestamp'
-timestamp = event.Timestamp
-
-[CSPMIOAStreamingEvent]
-__header.0 = metadata.eventType
-__header.1 = 'CSPM IOA Streaming event'
-__header.2 = '1'
-
-cat = metadata.eventType
-accountIdLabel = 'AccountId'
-accountId = event.AccountId
-policyStatementLabel = 'PolicyStatement'
-policyStatement = event.PolicyStatement
-cloudProviderLabel = 'CloudProvider'
-cloudProvider = event.CloudProvider
-cloudServiceLabel = 'CloudService'
-cloudService = event.CloudService
-severityNameLabel = 'SeverityName'
-severityName = event.SeverityName
-eventActionLabel = 'EventAction'
-eventAction = event.EventAction
-eventSourceLabel = 'EventSource'
-eventSource = event.EventSource
-eventCreatedTimeLabel = 'EventCreatedTimestamp'
-eventCreatedTime = event.EventCreatedTimestamp
-userIdLabel = 'UserId'
-userId = event.UserId
-userNameLabel = 'UserName'
-userName = event.UserName
-userSourceIpLabel = 'UserSourceIp'
-userSourceIp = event.UserSourceIp
-tacticLabel = 'Tactic'
-tactic = event.Tactic
-techniqueLabel = 'Technique'
-technique = event.Technique
-
-[CustomerIOCEvent]
-__header.0 = 'Indicator of Compromise'
-cat = metadata.eventType
-devTimeFormat='yyyy-MM-dd HH:mm:ss'
-devTime = metadata.eventCreationTime
-commandLine = event.CommandLine
-resource = event.ComputerName
-fileName = event.FileName
-filePath = event.FilePath
-dnsRequestDomain = event.DomainName
-dstIPv4 = event.IPv4
-dstIPv6 = event.IPv6
-md5 = event.MD5String
-sha1 = event.SHA1String
-sha256 = event.SHA256String
-
-[IncidentSummaryEvent]
-__header.0 = metadata.eventType
-__header.1 = metadata.eventType
-__header.2 = '5'
-cat = metadata.eventType
-cs1Label = 'FalconHostLink'
-cs1 = event.FalconHostLink
-cs2Label = 'State'
-cs2 = event.State
-cn3Label = 'FineScore'
-cn3 = event.FineScore
-deviceCustomDate1Label = 'IncidentStartTime'
-deviceCustomDate1 = event.IncidentStartTime
-deviceCustomDate2Label = 'IncidentEndTime'
-deviceCustomDate2 = event.IncidentEndTime
-deviceCustomDate2 = event.IncidentEndTime
-
-[IdentityProtectionEvent]
-__header.0 = event.Category
-__header.1 = event.Severity
-
-cat = event.Category
-cs1Label = 'incidentType'
-cs1 = event.IncidentType
-severityNameLabel = 'severityName'
-severityName = event.SeverityName
-msg = event.IncidentDescription
-deviceCustomDate1Label = 'startTime'
-deviceCustomDate1 = event.StartTime
-deviceCustomDate2Label = 'endTime'
-deviceCustomDate2 = event.EndTime
-cs2Label = 'identityProtectionIncidentId'
-cs2 = event.IdentityProtectionIncidentId
-duser = event.UserName
-dhost = event.EndpointName
-cs3Label = 'endpointIp'
-cs3 = event.EndpointIp
-cn1Label = 'numberOfCompromisedEntities'
-cn1 = event.NumberOfCompromisedEntities
-cn2Label = 'numbersOfAlerts'
-cn2 = event.NumbersOfAlerts
-cs4Label = 'falconHostLink'
-cs4 = event.FalconHostLink
-stateLabel = 'state'
-state = event.State
-
-[ReconNotificationSummaryEvent]
-__header.0 = metadata.eventType
-__header.1 = 'Recon Notification Summary Event'
-__header.2 = '1'
-
-cat = metadata.eventType
-notificationIdLabel = 'NotificationId'
-notificationId = event.NotificationId
-highlightsLabel = 'MatchHighlights'
-highlights = event.Highlights
-matchedTimestampLabel = 'MatchTimestamp'
-matchedTimestamp = event.MatchedTimestamp
-ruleIdLabel = 'MonitoringRuleId'
-ruleId = event.RuleId
-ruleNameLabel = 'MonitoringRuleName'
-ruleName = event.RuleName
-ruleTopicLabel = 'MonitoringRuleTopic'
-ruleTopic = event.RuleTopic
-rulePriorityLabel = 'MonitoringRulePriority'
-rulePriority = event.RulePriority
-itemIdLabel = 'RawIntelligenceItemId'
-itemId = event.ItemId
-itemTypeLabel = 'RawIntelligenceItemType'
-itemType = event.ItemType
-itemPostedTimestampLabel = 'RawIntelligenceItemPostedTimestamp'
-itemPostedTimestamp = event.ItemPostedTimestamp
-
-[ScheduledReportNotificationEvent]
-__header.0 = metadata.eventType
-__header.1 = 'Scheduled Report Notification Event'
-__header.2 = '1'
-
-cat = metadata.eventType
-userUUIDLabel = 'UserUUID'
-userUUID = event.UserUUID
-userIDLabel = 'UserID'
-userID = event.UserID
-executionIDLabel = 'ExecutionID'
-executionID = event.ExecutionID
-reportIDLabel = 'ReportID'
-reportID = event.ReportID
-reportNameLabel = 'ReportName'
-reportName = event.ReportName
-reportTypeLabel = 'ReportType'
-reportType = event.ReportType
-reportFileReferenceLabel = 'ReportFileReference'
-reportFileReference = event.ReportFileReference
-statusLabel = 'Status'
-status = event.Status
-statusMessageLabel = 'StatusMessage'
-statusMessage = event.StatusMessage
-executionMetadataLabel = 'ExecutionMetadata'
-executionMetadata = event.ExecutionMetadata
-
-[MobileDetectionSummaryEvent]
-__header.0 = metadata.eventType
-__header.1 = metadata.eventType
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cn1Label = 'SELinuxEnforcementPolicy'
-cn1 = event.SELinuxEnforcementPolicy
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_MobileAppsDetails]
-__header.0 = 'Mobile Application Details In A Mobile Detection Summary Event'
-__header.1 = 'Mobile Application Details In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'AppIdentifier'
-cs1 = event.MobileAppsDetails.AppIdentifier
-cs2Label = 'AppInstallerInformation'
-cs2 = event.MobileAppsDetails.AppInstallerInformation
-fname = event.MobileAppsDetails.ImageFileName
-fileHash = event.MobileAppsDetails.SHA256HashData
-cs3Label = 'DexFileHashes'
-cs3 = event.MobileAppsDetails.DexFileHashes
-cs4Label = 'AndroidAppVersionName'
-cs4 = event.MobileAppsDetails.AndroidAppVersionName
-cn1Label = 'HarmfulAppCategory'
-cn1 = event.MobileAppsDetails.HarmfulAppCategory
-cs5Label = 'AndroidComponentName'
-cs5 = event.MobileAppsDetails.AndroidComponentName
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_MobileNetworkConnections]
-__header.0 = 'Network Connection In A Mobile Detection Summary Event'
-__header.1 = 'Network Connection In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'Protocol'
-cs1 = event.MobileNetworkConnections.Protocol
-cn1Label = 'ConnectionFlags'
-cn1 = event.MobileNetworkConnections.ConnectionFlags
-src = event.MobileNetworkConnections.LocalAddress
-c6a2 = event.MobileNetworkConnections.LocalAddress
-dst = event.MobileNetworkConnections.RemoteAddress
-c6a3 = event.MobileNetworkConnections.RemoteAddress
-spt = event.MobileNetworkConnections.LocalPort
-dpt = event.MobileNetworkConnections.RemotePort
-deviceDirection = MobileNetworkConnections.ConnectionDirection
-request = event.MobileNetworkConnections.Url
-cs2Label = 'AppIdentifier'
-cs2 = event.MobileNetworkConnections.AppIdentifier
-cs3Label = 'IsAndroidAppContainerized'
-cs3 = event.MobileNetworkConnections.IsAndroidAppContainerized
-cn2Label = 'ContextProcessId'
-cn2 = event.MobileNetworkConnections.ContextProcessId
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'Network Connection Timestamp'
-deviceCustomDate1 = event.MobileNetworkConnections.AccessTimestamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_MobileDnsRequests]
-__header.0 = 'Dns Request In A Mobile Detection Summary Event'
-__header.1 = 'Dns Request In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-destinationDnsDomain = event.MobileDnsRequests.DomainName
-cs1Label = 'RequestType'
-cs1 = event.MobileDnsRequests.RequestType
-cs2Label = 'AppIdentifier'
-cs2 = event.MobileDnsRequests.AppIdentifier
-dst = event.MobileDnsRequests.IpAddress
-c6a3 = event.MobileDnsRequests.IpAddress
-cn1Label = 'ContextProcessId'
-cn1 = event.MobileDnsRequests.ContextProcessId
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'DNS Request Timestamp'
-deviceCustomDate1 = event.MobileDnsRequests.AccessTimestamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_MountedVolumes]
-__header.0 = 'Mounted Volume In A Mobile Detection Summary Event'
-__header.1 = 'Mounted Volume In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'Type'
-cs1 = event.MountedVolumes.Type
-cs2Label = 'MountPoint'
-cs2 = event.MountedVolumes.MountPoint
-cs3Label = 'MountFlags'
-cs3 = event.MountedVolumes.MountFlags
-cs4Label = 'RealDeviceName'
-cs4 = event.MountedVolumes.RealDeviceName
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_Trampolines]
-__header.0 = 'Trampoline In A Mobile Detection Summary Event'
-__header.1 = 'Trampoline In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'FunctionName'
-cs1 = event.Trampolines.FunctionName
-cs2Label = 'ExecutableBytes'
-cs2 = event.Trampolines.ExecutableBytes
-fname = event.Trampolines.ImageFileName
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_LoadedObjects]
-__header.0 = 'Loaded Object In A Mobile Detection Summary Event'
-__header.1 = 'Loaded Object In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-fname = event.LoadedObjects.FileName
-fileHash = event.LoadedObjects.SHA256HashData
-cs1Label = 'CodeSigningFlags'
-cs1 = event.LoadedObjects.CodeSigningFlags
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_ObjectiveCRuntimesAltered]
-__header.0 = 'ObjectiveC Runtime Altered In A Mobile Detection Summary Event'
-__header.1 = 'ObjectiveC Runtime Altered In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'MethodSignature'
-cs1 = event.ObjectiveCRuntimesAltered.MethodSignature
-fname = event.ObjectiveCRuntimesAltered.ImageFileName
-cs2Label = 'ExpectedImageFileName'
-cs2 = event.ObjectiveCRuntimesAltered.ExpectedImageFileName
-cs3Label = 'SuspectAddress'
-cs3 = event.ObjectiveCRuntimesAltered.SuspectAddress
-cs4Label = 'ExpectedAddress'
-cs4 = event.ObjectiveCRuntimesAltered.ExpectedAddress
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_RootAccessIndicators]
-__header.0 = 'Root Access Indicators In A Mobile Detection Summary Event'
-__header.1 = 'Root Access Indicators In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'LogcatMessage'
-cs1 = event.RootAccessIndicators.LogcatMessage
-cs2Label = 'AndroidStackTrace'
-cs2 = event.RootAccessIndicators.AndroidStackTrace
-cs3Label = 'HookedFunctionName'
-cs3 = event.RootAccessIndicators.HookedFunctionName
-cs4Label = 'AndroidInitServiceName'
-cs4 = event.RootAccessIndicators.AndroidInitServiceName
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_Certificates]
-__header.0 = 'Certificate In A Mobile Detection Summary Event'
-__header.1 = 'Certificate In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'CertificateName'
-cs1 = event.Certificates.Name
-cs2Label = 'CertificateIssuer'
-cs2 = event.Certificates.Issuer
-cs3Label = 'CertificateFingerPrint'
-cs3 = event.Certificates.FingerPrint
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_EnvironmentVariables]
-__header.0 = 'Environment Variable In A Mobile Detection Summary Event'
-__header.1 = 'Environment Variable In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'EnvironmentVariableName'
-cs1 = event.EnvironmentVariables.Name
-cs2Label = 'EnvironmentVariableValue'
-cs2 = event.EnvironmentVariables.Value
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[MobileDetectionSummaryEvent_SystemProperties]
-__header.0 = 'System Property In A Mobile Detection Summary Event'
-__header.1 = 'System Property In A Mobile Detection Summary Event'
-__header.2 = event.Severity
-
-cat = event.Tactic
-externalId = event.SensorId
-dhost = event.ComputerName
-duser = event.UserName
-msg = event.DetectDescription
-dvcpid = event.ProcessId
-cs1Label = 'SystemPropertyName'
-cs1 = event.SystemProperties.Name
-cs2Label = 'SystemPropertyValue'
-cs2 = event.SystemProperties.Value
-cs6Label = 'FalconHostLink'
-cs6 = event.FalconHostLink
-cn3Label = 'Offset'
-cn3 = metadata.offset
-deviceCustomDate1Label = 'ContextTimeStamp'
-deviceCustomDate1 = event.ContextTimeStamp
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-objective = event.Objective
-
-[XdrDetectionSummaryEvent]
-__header.0 = metadata.eventType
-__header.1 = 'XDR Detection Summary Event'
-__header.2 = event.Severity
-
-cat = metadata.eventType
-msg = event.Description
-rt = metadata.eventCreationTime
-tactics = event.Tactics
-techniques = event.Techniques
-xdrTypeLabel = 'XdrType'
-xdrType = event.XdrType
-authorLabel = 'Author'
-author = event.Author
-
-scheduledSearchExecutionIdLabel = 'ScheduledSearchExecutionId'
-scheduledSearchExecutionId = event.ScheduledSearchExecutionId
-scheduledSearchIdLabel = 'ScheduledSearchId'
-scheduledSearchId = event.ScheduledSearchId
-scheduledSearchUserIdLabel = 'ScheduledSearchUserId'
-scheduledSearchUserId = event.ScheduledSearchUserId
-scheduledSearchUserUUIDLabel = 'ScheduledSearchUserUUID'
-scheduledSearchUserUUID = event.ScheduledSearchUserUUID
-
-sourceProductsLabel = 'SourceProducts'
-sourceProducts = event.SourceProducts
-sourceVendorsLabel = 'SourceVendors'
-sourceVendors = event.SourceVendors
-dataDomainsLabel = 'DataDomains'
-dataDomains = event.DataDomains
-ipv4AddressesLabel = 'IPv4Addresses'
-ipv4Addresses = event.IPv4Addresses
-ipv6AddressesLabel = 'IPv6Addresses'
-ipv6Addresses = event.IPv6Addresses
-hostNamesLabel = 'HostNames'
-hostNames = event.HostNames
-domainNamesLabel = 'DomainNames'
-domainNames = event.DomainNames
-emailAddressesLabel = 'EmailAddresses'
-emailAddresses = event.EmailAddresses
-sha256HashesLabel = 'SHA256Hashes'
-sha256Hashes = event.SHA256Hashes
-md5HashesLabel = 'MD5Hashes'
-md5Hashes = event.MD5Hashes
-usersLabel = 'Users'
-users = event.Users
-
-cn3Label = 'Offset'
-cn3 = metadata.offset
-
-
-
-[IdpDetectionSummaryEvent]
-__header.0 = metadata.eventType
-__header.1 = 'Identity Protection Detection Summary Event'
-__header.2 = event.Severity
-
-cat = metadata.eventType
-msg = event.DetectDescription
-rt = metadata.eventCreationTime
-tactic = event.Tactic
-technique = event.Technique
-
-targetServiceAccessIdentifierLabel = 'TargetServiceAccessIdentifier'
-targetServiceAccessIdentifier = event.TargetServiceAccessIdentifier
-targetEndpointSensorIdLabel = 'TargetEndpointSensorId'
-targetEndpointSensorId = event.TargetEndpointSensorId
-targetEndpointHostNameLabel = 'TargetEndpointHostName'
-targetEndpointHostName = event.TargetEndpointHostName
-targetEndpointAccountObjectSidLabel = 'TargetEndpointAccountObjectSid'
-targetEndpointAccountObjectSid = event.TargetEndpointAccountObjectSid
-targetEndpointAccountObjectGuidLabel = 'TargetEndpointAccountObjectGuid'
-targetEndpointAccountObjectGuid = event.TargetEndpointAccountObjectGuid
-targetAccountUpnLabel = 'TargetAccountUpn'
-targetAccountUpn = event.TargetAccountUpn
-targetAccountObjectSidLabel = 'TargetAccountObjectSid'
-targetAccountObjectSid = event.TargetAccountObjectSid
-targetAccountNameLabel = 'TargetAccountName'
-targetAccountName = event.TargetAccountName
-targetAccountDomainLabel = 'TargetAccountDomain'
-targetAccountDomain = event.TargetAccountDomain
-suspiciousMachineAccountAlterationTypeLabel = 'SuspiciousMachineAccountAlterationType'
-suspiciousMachineAccountAlterationType = event.SuspiciousMachineAccountAlterationType
-startTimeLabel = 'StartTime'
-startTime = event.StartTime
-ssoApplicationIdentifierLabel = 'SsoApplicationIdentifier'
-ssoApplicationIdentifier = event.SsoApplicationIdentifier
-sourceEndpointSensorIdLabel = 'SourceEndpointSensorId'
-sourceEndpointSensorId = event.SourceEndpointSensorId
-sourceEndpointIpReputationLabel = 'SourceEndpointIpReputation'
-sourceEndpointIpReputation = event.SourceEndpointIpReputation
-sourceEndpointIpAddressLabel = 'SourceEndpointIpAddress'
-sourceEndpointIpAddress = event.SourceEndpointIpAddress
-sourceEndpointHostNameLabel = 'SourceEndpointHostName'
-sourceEndpointHostName = event.SourceEndpointHostName
-sourceEndpointAccountObjectSidLabel = 'SourceEndpointAccountObjectGuid'
-sourceEndpointAccountObjectSid = event.SourceEndpointAccountObjectGuid
-sourceEndpointAccountObjectSidLabel = 'SourceEndpointAccountObjectSid'
-sourceEndpointAccountObjectSid = event.SourceEndpointAccountObjectSid
-sourceAccountUpnLabel = 'SourceAccountUpn'
-sourceAccountUpn = event.SourceAccountUpn
-sourceAccountObjectSidLabel = 'SourceAccountObjectSid'
-sourceAccountObjectSid = event.SourceAccountObjectSid
-sourceAccountNameLabel = 'SourceAccountName'
-sourceAccountName = event.SourceAccountName
-sourceAccountDomainLabel = 'SourceAccountDomain'
-sourceAccountDomain = event.SourceAccountDomain
-severityNameLabel = 'SeverityName'
-severityName = event.SeverityName
-rpcOpClassificationLabel = 'RpcOpClassification'
-rpcOpClassification = event.RpcOpClassification
-protocolAnomalyClassificationLabel = 'ProtocolAnomalyClassification'
-protocolAnomalyClassification = event.ProtocolAnomalyClassification
-previousPrivilegesLabel = 'PreviousPrivileges'
-previousPrivileges = event.PreviousPrivileges
-precedingActivityTimeStampLabel = 'PrecedingActivityTimeStamp'
-precedingActivityTimeStamp = event.PrecedingActivityTimeStamp
-patternIdLabel = 'PatternId'
-patternId = event.PatternId
-objectiveLabel = 'Objective'
-objective = event.Objective
-mostRecentActivityTimeStampLabel = 'MostRecentActivityTimeStamp'
-mostRecentActivityTimeStamp = event.MostRecentActivityTimeStamp
-locationCountryCodeLabel = 'LocationCountryCode'
-locationCountryCode = event.LocationCountryCode
-ldapSearchQueryAttackLabel = 'LdapSearchQueryAttack'
-ldapSearchQueryAttack = event.LdapSearchQueryAttack
-idpPolicyRuleTriggerLabel = 'IdpPolicyRuleTrigger'
-idpPolicyRuleTrigger = event.IdpPolicyRuleTrigger
-idpPolicyRuleNameLabel = 'IdpPolicyRuleName'
-idpPolicyRuleName = event.IdpPolicyRuleName
-idpPolicyRuleActionLabel = 'IdpPolicyRuleAction'
-idpPolicyRuleAction = event.IdpPolicyRuleAction
-falconHostLinkLabel = 'FalconHostLink'
-falconHostLink = event.FalconHostLink
-endTimeLabel = 'EndTime'
-endTime = event.EndTime
-detectNameLabel = 'DetectName'
-detectName = event.DetectName
-detectIdLabel = 'DetectId'
-detectId = event.DetectId
-contextTimeStampLabel = 'ContextTimeStamp'
-contextTimeStamp = event.ContextTimeStamp
-attemptOutcomeLabel = 'AttemptOutcome'
-attemptOutcome = event.AttemptOutcome
-anomalousTicketContentClassificationLabel = 'AnomalousTicketContentClassification'
-anomalousTicketContentClassification = event.AnomalousTicketContentClassification
-additionalSsoApplicationIdentifierLabel = 'AdditionalSsoApplicationIdentifier'
-additionalSsoApplicationIdentifier = event.AdditionalSsoApplicationIdentifier
-additionalLocationCountryCodeLabel = 'AdditionalLocationCountryCode'
-additionalLocationCountryCode = event.AdditionalLocationCountryCode
-additionalEndpointSensorIdLabel = 'AdditionalEndpointSensorId'
-additionalEndpointSensorId = event.AdditionalEndpointSensorId
-additionalEndpointIpAddressLabel = 'AdditionalEndpointIpAddress'
-additionalEndpointIpAddress = event.AdditionalEndpointIpAddress
-additionalEndpointHostNameLabel = 'AdditionalEndpointHostName'
-additionalEndpointHostName = event.AdditionalEndpointHostName
-additionalEndpointAccountObjectSidLabel = 'AdditionalEndpointAccountObjectSid'
-additionalEndpointAccountObjectSid = event.AdditionalEndpointAccountObjectSid
-additionalEndpointAccountObjectGuidLabel = 'AdditionalEndpointAccountObjectGuid'
-additionalEndpointAccountObjectGuid = event.AdditionalEndpointAccountObjectGuid
-additionalActivityIdLabel = 'AdditionalActivityId'
-additionalActivityId = event.AdditionalActivityId
-additionalAccountUpnLabel = 'AdditionalAccountUpn'
-additionalAccountUpn = event.AdditionalAccountUpn
-additionalAccountObjectSidLabel = 'AdditionalAccountObjectSid'
-additionalAccountObjectSid = event.AdditionalAccountObjectSid
-additionalAccountNameLabel = 'AdditionalAccountName'
-additionalAccountName = event.AdditionalAccountName
-additionalAccountDomainLabel = 'AdditionalAccountDomain'
-additionalAccountDomain = event.AdditionalAccountDomain
-addedPrivilegeLabel = 'AddedPrivilege'
-addedPrivilege = event.AddedPrivilege
-activityIdLabel = 'ActivityId'
-activityId = event.ActivityId
-accountCreationTimeStampLabel = 'AccountCreationTimeStamp'
-accountCreationTimeStamp = event.AccountCreationTimeStamp
-
-cn3Label = 'Offset'
-cn3 = metadata.offset