Mengumpulkan log Jamf Protect
Dokumen ini menjelaskan cara mengumpulkan log Jamf Protect dengan menyiapkan feed Google Security Operations dan cara kolom log dipetakan ke kolom Unified Data Model (UDM) Google Security Operations. Dokumen ini juga mencantumkan versi Jamf Protect yang didukung.
Untuk mengetahui informasi selengkapnya, lihat Penambahan data ke Google Security Operations.
Deployment umum terdiri dari Jamf Protect dan feed Google Security Operations yang dikonfigurasi untuk mengirim log ke Google Security Operations. Setiap deployment pelanggan dapat berbeda dan mungkin lebih kompleks.
Deployment berisi komponen berikut:
Jamf Protect. Platform Jamf Protect tempat Anda mengumpulkan log.
Feed Google Security Operations. Feed Google Security Operations yang mengambil log dari Jamf Protect dan menulis log ke Google Security Operations.
Google Security Operations. Google Security Operations menyimpan dan menganalisis log dari Jamf Protect.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah
ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser
dengan label transfer JAMF_PROTECT
.
Sebelum memulai
- Pastikan Anda menggunakan Jamf Protect versi 4.0.0 atau yang lebih baru.
- Pastikan semua sistem dalam arsitektur deployment dikonfigurasi dengan zona waktu UTC.
Mengonfigurasi feed di Google Security Operations untuk menyerap log Jamf Protect
Anda dapat menggunakan Amazon S3 atau webhook untuk menyiapkan feed penyerapan di Google Security Operations, tetapi sebaiknya gunakan Amazon S3.
Menyiapkan feed penyerapan menggunakan Amazon S3
- Dari menu Google Security Operations, pilih Setelan, lalu klik Feed.
- Klik Add New.
- Pilih Amazon S3 sebagai Source Type.
- Untuk membuat feed untuk Jamf Protect, pilih Jamf Protect Alerts sebagai Log Type.
- Klik Berikutnya.
- Simpan feed, lalu Kirim.
- Salin ID Feed dari nama feed yang akan digunakan di Jamf Protect.
Menyiapkan feed transfer menggunakan webhook
- Dari menu Google Security Operations, pilih Setelan, lalu klik Feed.
- Klik Tambahkan baru.
- Di kolom Nama feed, masukkan nama untuk feed.
- Dalam daftar Source Type, pilih Webhook.
- Untuk membuat feed untuk Jamf Protect, pilih Jamf Protect Alerts sebagai Log Type.
- Klik Berikutnya.
- Opsional: Tentukan nilai untuk parameter input berikut:
- Pemisah pemisahan: pembatas yang digunakan untuk memisahkan baris log, seperti
\n
. - Namespace aset: namespace aset.
- Label penyerapan: label yang akan diterapkan ke peristiwa dari feed ini.
- Pemisah pemisahan: pembatas yang digunakan untuk memisahkan baris log, seperti
- Klik Berikutnya.
- Tinjau konfigurasi feed baru Anda di layar Finalize, lalu klik Submit.
- Klik Buat Kunci Rahasia untuk membuat kunci rahasia guna mengautentikasi feed ini.
- Salin dan simpan kunci rahasia karena Anda tidak dapat melihat rahasia ini lagi. Anda dapat membuat kunci rahasia baru lagi, tetapi pembuatan ulang kunci rahasia akan membuat kunci rahasia sebelumnya tidak berlaku lagi.
- Dari tab Detail, salin URL endpoint feed dari kolom Endpoint Information. Anda harus menentukan URL endpoint ini di aplikasi Jamf Protect Alerts.
- Klik Done.
- Tentukan URL endpoint di Jamf Protect.
Untuk informasi selengkapnya tentang feed Google Security Operations, lihat dokumentasi feed Google Security Operations. Untuk mengetahui informasi tentang persyaratan untuk setiap jenis feed, lihat Konfigurasi feed menurut jenis.
Jika Anda mengalami masalah saat membuat feed, hubungi dukungan Google Security Operations.
Jenis log Jamf Protect yang didukung
Tabel berikut mencantumkan jenis log yang didukung parser Jamf Protect:
Jenis Peristiwa | Nama tampilan |
---|---|
GPClickEvent | Peristiwa Klik Sintetis |
GPDownloadEvent | Download Peristiwa |
GPFSEvent | Peristiwa Sistem File |
GPGatekeeperEvent | Peristiwa Gatekeeper |
GPKeylogRegisterEvent | Peristiwa Keylogger |
GPMRTEvent | Memantau Peristiwa |
GPPreventedExecutionEvent | Peristiwa Daftar Pencegahan Kustom |
GPProcessEvent | Memproses Peristiwa |
GPThreatMatchExecEvent | Peristiwa Pencegahan Ancaman |
GPUSBEvent | Peristiwa USB |
GPUnifiedLogEvent | Peristiwa Log Terpadu |
Auth-mount | Peristiwa Kontrol Perangkat |
Referensi pemetaan kolom
Bagian ini menjelaskan cara parser Google Security Operations memetakan kolom Jamf Protect ke kolom Unified Data Model (UDM) Google Security Operations.
Referensi pemetaan kolom: ID Peristiwa ke Jenis Peristiwa
Tabel berikut mencantumkan jenis logJAMF_PROTECT
dan jenis peristiwa UDM yang sesuai.
Event Identifier | Event Type |
---|---|
GPClickEvent |
SCAN_UNCATEGORIZED |
GPDownloadEvent |
SCAN_FILE |
GPFSEvent |
SCAN_FILE |
GPGatekeeperEvent |
SCAN_UNCATEGORIZED |
GPKeylogRegisterEvent |
SCAN_UNCATEGORIZED |
GPMRTEvent |
SCAN_UNCATEGORIZED |
GPPreventedExecutionEvent |
SCAN_UNCATEGORIZED |
GPProcessEvent |
SCAN_PROCESS |
GPThreatMatchExecEvent |
SCAN_UNCATEGORIZED |
GPUSBEvent |
SCAN_UNCATEGORIZED |
GPUnifiedLogEvent |
SCAN_UNCATEGORIZED |
Auth-mount |
SCAN_UNCATEGORIZED |
Referensi pemetaan kolom: JAMF_PROTECT
Tabel berikut mencantumkan kolom log dari jenis logJAMF_PROTECT
dan kolom UDM yang sesuai.
Log field | UDM mapping | Logic |
---|---|---|
|
about.platform |
The about.platform UDM field is set to MAC . |
caid |
about.labels[caid] (deprecated) |
|
caid |
additional.fields[caid] |
|
certid |
principal.asset.attribute.labels [certid] |
|
context.identity.claims.certid |
principal.user.attribute.permissions.description |
|
context.identity.claims.clientid |
principal.user.attribute.labels [context_identity_claims_clientid] |
|
input.eventType |
metadata.product_event_type |
|
input.host.hostname |
principal.hostname |
|
input.host.ips |
principal.ip |
|
input.host.provisioningUDID |
principal.asset.product_object_id |
|
input.host.serial |
principal.asset.hardware.serial_number |
|
input.match.actions.name |
security_result.outcomes [input_match_actions_name] |
|
input.match.actions.parameters.message |
security_result.summary |
If the index value is equal to 0 , then the input.match.actions.parameters.message log field is mapped to the security_result.summary UDM field.Else, the input.match.actions.parameters.message log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.actions.parameters.title |
security_result.description |
If the index value is equal to 0 , then the input.match.actions.parameters.title log field is mapped to the security_result.description UDM field.Else, the input.match.actions.parameters.title log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.context.name |
security_result.detection_fields.key |
|
input.match.context.value |
security_result.detection_fields.value [Name] |
|
input.match.context.valueType |
|
|
input.match.custom |
security_result.detection_fields [input_match_custom] |
|
input.match.event.blocked |
security_result.action |
If the input.match.event.blocked log field value is not empty, then the security_result.action UDM field is set to BLOCK . |
context.identity.claims.hd, input.match.uuid |
security_result.url_back_to_product |
The security_result.url_back_to_product UDM field is set to https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid . |
input.match.event.category |
security_result.category_details |
|
input.match.event.clickType |
principal.labels[input_match_event_click_type] (deprecated) |
If the input.match.event.clickType log field value is equal to 0 , then the principal.labels.value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the principal.labels.value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the principal.labels.value UDM field is set to 4 - Right Up . |
input.match.event.clickType |
additional.fields[input_match_event_click_type] |
If the input.match.event.clickType log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Right Up . |
input.match.event.composedMessage |
principal.labels[input_match_event_composed_message] (deprecated) |
|
input.match.event.composedMessage |
additional.fields[input_match_event_composed_message] |
|
input.match.event.dev |
principal.labels[input_match_event_dev] (deprecated) |
|
input.match.event.dev |
additional.fields[input_match_event_dev] |
|
input.match.event.eventID |
principal.labels[input_match_event_eventID] (deprecated) |
|
input.match.event.eventID |
additional.fields[input_match_event_eventID] |
|
input.match.event.gid |
principal.user.group_identifiers |
|
input.match.event.iNode |
target.file.stat_inode |
|
input.match.event.matchType |
principal.labels[input_match_event_match_type] (deprecated) |
|
input.match.event.matchType |
additional.fields[input_match_event_match_type] |
|
input.match.event.matchValue |
security_result.threat_name |
If the input.match.event.matchType log field value is not empty, then the input.match.event.matchValue log field is mapped to the security_result.threat_name UDM field. |
input.match.event.name |
about.labels[input_match_event_name] (deprecated) |
|
input.match.event.name |
additional.fields[input_match_event_name] |
|
input.match.facts.name |
metadata.description |
If the index value is equal to 0 , then the input.match.facts.name log field is mapped to the metadata.description UDM field. |
input.match.event.path |
target.process.file.full_path |
|
input.match.event.pid |
principal.process.pid |
|
input.match.event.prevFile |
src.file.full_path |
If the input.match.event.prevFile log field value is not empty, then the input.match.event.prevFile log field is mapped to the src.file.full_path UDM field. |
input.match.event.process |
principal.process.file.names |
|
input.match.event.process.args |
target.process.command_line_history |
|
input.match.event.process.gid |
target.group.product_object_id |
|
input.match.event.process.name |
target.process.file.names |
|
input.match.event.process.originalParentPID |
target.process.parent_process.pid |
|
input.match.event.process.path |
target.process.file.full_path |
|
input.match.event.process.pgid |
target.labels[input_match_event_processes_pgid] (deprecated) |
|
input.match.event.process.pgid |
additional.fields[input_match_event_processes_pgid] |
|
input.match.event.process.pid |
target.process.pid |
|
input.match.event.process.ppid |
target.labels[input_match_event_process_ppid] (deprecated) |
|
input.match.event.process.ppid |
additional.fields[input_match_event_process_ppid] |
|
input.match.event.process.responsiblePID |
target.labels[input_match_event_process_responsible_pid] (deprecated) |
|
input.match.event.process.responsiblePID |
additional.fields[input_match_event_process_responsible_pid] |
|
input.match.event.process.rgid |
target.labels[input_match_event_process_rgid] (deprecated) |
|
input.match.event.process.rgid |
additional.fields[input_match_event_process_rgid] |
|
input.match.event.process.ruid |
target.labels[input_match_event_process_ruid] (deprecated) |
|
input.match.event.process.ruid |
additional.fields[input_match_event_process_ruid] |
|
input.match.event.process.signingInfo.appid |
target.user.attribute.labels [input_match_event_process_sign_appid] |
|
input.match.event.process.signingInfo.authorities |
target.user.attribute.permissions |
|
input.match.event.process.signingInfo.cdhash |
target.user.attribute.labels [input_match_event_process_sign_cdhash] |
|
input.match.event.process.signingInfo.entitlements |
target.user.attributes.permissions |
|
input.match.event.process.signingInfo.signerType |
target.user.attribute.labels [input_match_event_process_sign_signer_type] |
If the input.related.process.signingInfo.signerType log field value is equal to 0 , then the target.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.process.signingInfo.signerType log field value is equal to 1 , then the target.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.process.signingInfo.signerType log field value is equal to 2 , then the target.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.process.signingInfo.signerType log field value is equal to 3 , then the target.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.process.signingInfo.signerType log field value is equal to 4 , then the target.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.match.event.process.signingInfo.status |
target.user.attribute.labels [input_match_event_process_sign_status] |
|
input.match.event.process.signingInfo.statusMessage |
target.labels[input_match_event_process_sign_status_message] (deprecated) |
|
input.match.event.process.signingInfo.statusMessage |
additional.fields[input_match_event_process_sign_status_message] |
|
input.match.event.process.signingInfo.teamid |
target.user.group_identifiers |
|
input.match.event.process.startTimestamp |
target.labels[input_match_event_process_start_time_stamp] (deprecated) |
|
input.match.event.process.startTimestamp |
additional.fields[input_match_event_process_start_time_stamp] |
|
input.match.event.process.uid |
target.labels[input_match_event_process_uid] (deprecated) |
|
input.match.event.process.uid |
additional.fields[input_match_event_process_uid] |
|
input.match.event.process.uuid |
target.process.product_specific_process_id |
The Process Uuid: input.match.event.process.uuid log field is mapped to the target.process.product_specific_process_id UDM field. |
input.match.event.processIdentifier |
target.process.pid |
|
input.match.event.processImagePath |
target.process.file.full_path |
|
input.match.event.rateLimitingSecs |
principal.labels[input_match_event_rate_limiting_secs] (deprecated) |
|
input.match.event.rateLimitingSecs |
additional.fields[input_match_event_rate_limiting_secs] |
|
input.match.event.scriptPath |
principal.labels[input_match_event_script_path] (deprecated) |
|
input.match.event.scriptPath |
additional.fields[input_match_event_script_path] |
|
input.match.event.sender |
principal.labels[input_match_event_sender] (deprecated) |
|
input.match.event.sender |
additional.fields[input_match_event_sender] |
|
input.match.event.senderImagePath |
principal.labels[input_match_event_sender_image_path] (deprecated) |
|
input.match.event.senderImagePath |
additional.fields[input_match_event_sender_image_path] |
|
input.match.event.subsystem |
principal.labels[input_match_event_subsystem] (deprecated) |
|
input.match.event.subsystem |
additional.fields[input_match_event_subsystem] |
|
input.match.event.subType |
principal.labels[input_match_event_sub_type] (deprecated) |
If the input.match.event.subType log field value is equal to 7 , then the principal.labels.value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the principal.labels.value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the principal.labels.value UDM field is set to 43190 - Posix Spawn . |
input.match.event.subType |
additional.fields[input_match_event_sub_type] |
If the input.match.event.subType log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the additional.fields.value.string_value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the additional.fields.value.string_value UDM field is set to 43190 - Posix Spawn . |
input.match.event.tags |
security_result.rule_labels [input_match_event_tags] |
|
input.match.event.targetpid |
target.process.pid |
|
input.match.event.timestamp |
metadata.event_timestamp |
|
input.match.event.type |
target.labels[input_match_event_type] (deprecated) |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the target.labels.value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the target.labels.value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the target.labels.value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the target.labels.value UDM field is set to 0 - Exit . |
input.match.event.type |
additional.fields[input_match_event_type] |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 0 - Exit . |
input.match.event.uid |
principal.user.userid |
|
input.match.event.uuid |
about.labels[input_match_event_uuid] (deprecated) |
|
input.match.event.uuid |
additional.fields[input_match_event_uuid] |
|
input.match.facts.actions.name |
security_result.action_details |
If the index value is equal to 0 , then the input.match.facts.actions.name log field is mapped to the security_result.action_details UDM field.Else, the input.match.facts.actions.name log field is mapped to the security_result.about.labels.value UDM field. |
input.match.facts.actions.parameters.id |
security_result.detection_fields [input_match_facts_actions_parameters_id] |
|
input.match.facts.actions.parameters.message |
security_result.detection_fields [input_match_facts_actions_parameters_message] |
|
input.match.facts.actions.parameters.title |
security_result.detection_fields [input_match_facts_actions_parameters_title] |
|
input.match.facts.context.name |
security_result.detection_fields.key |
|
input.match.facts.context.value |
security_result.detection_fields.value [Name] |
|
input.match.facts.context.valueType |
|
|
input.match.facts.human |
security_result.action |
If the input.match.facts.human log field value is matched with regex (?i)blocked , then the security_result.action UDM field is set to BLOCK . |
input.match.facts.human |
security_result.description |
If the index value is equal to 0 , then the input.match.facts.human log field is mapped to the security_result.description UDM field.Else, the input.match.facts.human log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.name |
security_result.summary |
If the index value is equal to 0 , then the input.match.facts.name log field is mapped to the security_result.summary UDM field.Else, the input.match.facts.name log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.severity |
security_result.detection_fields [input_match_facts_severity] |
|
input.match.facts.tags |
security_result.rule_labels [input_match_facts_tags] |
|
input.match.facts.uuid |
about.labels [input_match_facts_uuid] |
|
input.match.facts.version |
about.labels [input_match_facts_version] |
|
input.match.severity |
security_result.severity |
If the severity log field value is equal to 0 , then the security_result.severity UDM field is set to INFORMATIONAL .Else, if the severity log field value is equal to 1 , then the security_result.severity UDM field is set to LOW .Else, if the severity log field value is equal to 2 , then the security_result.severity UDM field is set to MEDIUM .Else, if the severity log field value is equal to 3 , then the security_result.severity UDM field is set to HIGH . |
input.match.tags |
security_result.rule_labels [input_match_tags] |
|
input.match.uuid |
metadata.product_log_id |
|
input.related.binaries.accessed |
security_result.about.labels [input_related_binaries_accessed] |
|
input.related.binaries.changed |
security_result.about.labels [input_related_binaries_changed] |
|
input.related.binaries.created |
security_result.about.file.first_seen_time |
If the index value is equal to 0 , then the input.related.binaries.created log field is mapped to the security_result.about.file.first_seen_time UDM field.Else, the input.related.binaries.created log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.fsid |
security_result.about.labels [input_related_binaries_fsid] |
|
input.related.binaries.gid |
security_result.about.labels [input_related_binaries_gid] |
|
input.related.binaries.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.binaries.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.binaries.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.isAppBundle |
security_result.about.labels [isAppBundle] |
|
input.related.binaries.isDirectory |
security_result.about.labels [isDirectory] |
|
input.related.binaries.isDownload |
security_result.about.labels [isDownload] |
|
input.related.binaries.isScreenShot |
security_result.about.labels [isScreenShot] |
|
input.related.binaries.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.binaries.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.binaries.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.binaries.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.binaries.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.binaries.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.binaries.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.binaries.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.binaries.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.binaries.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.binaries.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.binaries.signingInfo.cdhash |
security_result.about.labels [input_related_binaries_sign_cdhash] |
|
input.related.binaries.signingInfo.entitlements |
security_result.about.user.attribute.permisisons |
|
input.related.binaries.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type] |
If the input.related.binaries.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.binaries.signingInfo.status |
security_result.about.user.attribute.labels [input_related_binaries_sign_status] |
|
input.related.binaries.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.binaries.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.size |
security_result.about.file.size |
If the index value is equal to 0 , then the input.related.binaries.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.binaries.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.binaries.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.binaries.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.xattrs |
security_result.about.user.attribute.labels [input_related_binaries_xattrs] |
|
input.related.files.accessed |
security_result.about.labels [input_related_files_accessed] |
|
input.related.files.changed |
security_result.about.labels [input_related_files_changed] |
|
input.related.files.created |
security_result.about.labels [input_related_files_created] |
|
input.related.files.downloadedFrom |
security_result.about.labels [input_related_files_downloaded_from] |
|
input.related.files.fsid |
security_result.about.labels [input_related_files_downloaded_fsid] |
|
input.related.files.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.files.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.files.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.files.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.files.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.isAppBundle |
security_result.about.labels [input_related_files_downloaded_is_app_bundle] |
|
input.related.files.isDirectory |
security_result.about.labels [input_related_files_is_directory] |
|
input.related.files.isDownload |
security_result.about.labels [input_related_files_is_download] |
|
input.related.files.isScreenShot |
security_result.about.labels [input_related_files_is_screenshot] |
|
input.related.files.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.files.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.files.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.files.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.files.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.files.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.files.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.files.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.files.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.files.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.files.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.files.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.files.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.cdhash |
security_result.about.labels [[input_related_files_sign_cdhash] |
|
input.related.files.signingInfo.entitlements |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type] |
If the input.related.files.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.files.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.files.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.files.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.files.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.files.signingInfo.status |
security_result.about.user.attribute.labels [input_related_files_signing_info_status] |
|
input.related.files.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_files_signing_info_status_message] |
|
input.related.files.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.size |
security_result.about.file.size |
If the index value is equal to 0 , then if the input.related.files.size log field value is not equal to 0 , then the input.related.files.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.files.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.files.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.files.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.xattrs |
security_result.about.labels [input_related_files_xattrs] |
|
input.related.groups.gid |
security_result.about.group.attribute.labels [input_related_groups_gid] |
|
input.related.groups.name |
security_result.about.group.group_display_name |
If the index value is equal to 0 , then the input.related.groups.name log field is mapped to the security_result.about.group.group_display_name UDM field.Else, the input.related.groups.name log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.groups.uuid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.groups.uuid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.groups.uuid log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.processes.appPath |
security_result.about.labels [input_related_processes_app_path] |
|
input.related.processes.args |
security_result.about.process.command_line_history |
|
input.related.processes.exitCode |
security_result.about.labels [input_related_processes_exit_code] |
|
input.related.processes.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.processes.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.processes.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.name |
security_result.about.process.file.names |
|
input.related.processes.originalParentPID |
security_result.about.process.parent_process.pid |
If the index value is equal to 0 , then the input.related.processes.originalParentPID log field is mapped to the security_result.about.process.parent_process.pid UDM field.Else, the input.related.processes.originalParentPID log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.path |
security_result.about.process.file.full_path |
If the index value is equal to 0 , then the input.related.processes.path log field is mapped to the security_result.about.process.file.full_path UDM field.Else, the input.related.processes.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.pgid |
security_result.about.labels [input_related_process_pgid] |
|
input.related.processes.pid |
security_result.about.process.pid |
If the index value is equal to 0 , then the input.related.processes.pid log field is mapped to the security_result.about.process.pid UDM field.Else, the input.related.processes.pid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.ppid |
security_result.about.labels [input_related_processes_ppid] |
|
input.related.processes.responsiblePID |
security_result.about.labels [input_related_processes_responsible_pid] |
|
input.related.processes.rgid |
security_result.about.labels [input_related_processes_rgid] |
|
input.related.processes.ruid |
security_result.about.labels [input_related_processes_ruid] |
|
input.related.processes.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.signingInfo.authorities |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.cdhash |
security_result.about.user.attribute.labels [input_related_processes_sign_cdhash] |
|
input.related.processes.signingInfo.entitlements |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_processes_sign_signer_type] |
If the input.related.processes.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.processes .signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.processes.signingInfo.status |
security_result.about.user.attribute.labels [input_related_processes_sign_status] |
|
input.related.processes.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.processes.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.startTimestamp |
security_result.about.labels [input_related_processes_start_time_stamp] |
|
input.related.processes.tty |
security_result.about.labels [input_related_processes_tty] |
|
input.related.processes.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.processes.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.processes.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.processes.uuid |
security_result.about.process.product_specific_process_id |
If the index value is equal to 0 , then the Process Uuid: input.related.processes.uuid log field is mapped to the security_result.about.process.product_specific_process_id UDM field.Else, the input.related.processes.uuid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.users.name |
security_result.about.user.user_display_name |
If the index value is equal to 0 , then the input.related.users.name log field is mapped to the security_result.about.user.user_display_name UDM field.Else, the input.related.users.name log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.users.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.users.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uuid |
security_result.about.user.product_object_id |
If the index value is equal to 0 , then the input.related.users.uuid log field is mapped to the security_result.about.user.product_object_id UDM field.Else, the input.related.users.uuid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
key |
about.labels[key] (deprecated) |
|
key |
additional.fields[key] |
|
path |
target.file.full_path |
If the index value is equal to 0 , then the path log field is mapped to the target.file.full_path UDM field.Else, the path log field is mapped to the target.labels.value UDM field. |
queue |
principal.labels[queue] (deprecated) |
|
queue |
additional.fields[queue] |
|
region |
principal.location.name |
|
timestamp |
metadata.creation_timestamp |
|
topic |
about.labels[topic] (deprecated) |
|
topic |
additional.fields[topic] |
|
topicType |
about.labels[topicType] (deprecated) |
|
topicType |
additional.fields[topicType] |
|
version |
metadata.product_version |
|
|
is_alert |
The is_alert UDM field is set to TRUE . |
|
is_significant |
The is_significant UDM field is set to TRUE . |
input.eventType |
metadata.event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_PROTECT . |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF . |
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to STORAGE_BUCKET . |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to STORAGE_BUCKET . |
input.match.event.options |
about.labels[input_match_event_options] (deprecated) |
|
input.match.event.options |
additional.fields[input_match_event_options] |
|
input.match.event.sourcePID |
principal.process.pid |
|
input.match.event.destinationPID |
target.process.pid |
|
image.match.event.detection |
security_result.detection_fields [image_match_event_detection] |
|
input.match.type |
target.asset.attribute.labels [input_match_type] |
If the input.match.type log field value is equal to 0 , then the target.asset.attribute.labels.value UDM field is set to 0 - Device Inserted .Else, if the input.match.type log field value is equal to 1 , then the target.asset.attribute.labels.value UDM field is set to 1 - Device Removed . |
input.match.usbAddress |
target.asset.attribute.labels [input_match_usb_address] |
|
input.match.event.device.mediaPath |
target.asset.attribute.labels [input_match_device_media_path] |
|
input.match.event.device.protocol |
target.asset.attribute.labels [input_match_device_protocol] |
|
input.match.event.device.deviceModel |
target.asset.hardware.model |
|
input.match.event.device.isRemovable |
target.asset.attribute.labels [input_match_device_is_removable] |
|
input.match.event.device.mediaName |
target.asset.attribute.labels [input_match_device_media_name] |
|
input.match.event.device.bsdMinor |
target.asset.attribute.labels [input_match_device_bsd_minor] |
|
input.match.event.device.vendorName |
target.asset.software.vendor_name |
|
input.match.event.device.isWhole |
target.asset.attribute.labels [input_match_device_is_whole] |
|
input.match.event.device.unit |
target.asset.attribute.labels [input_match_device_unit] |
|
input.match.event.device.deviceSubclass |
target.asset.attribute.labels [input_match_device_subclass] |
|
input.match.event.device.serialNumber |
target.asset.hardware.serial |
|
input.match.event.device.bsdUnit |
target.asset.attribute.labels [input_match_device_bsd_unit] |
|
input.match.event.device.busPath |
target.asset.attribute.labels [input_match_device_bus_path] |
|
input.match.event.device.isLeaf |
target.asset.attribute.labels [input_match_device_is_leaf] |
|
input.match.event.device.isInternal |
target.asset.attribute.labels [input_match_device_is_internal] |
|
input.match.event.device.busName |
target.asset.attribute.labels [input_match_device_bus_name] |
|
input.match.event.device.bsdMajor |
target.asset.attribute.labels [input_match_device_bsd_major] |
|
input.match.event.device.isEjectable |
target.asset.attribute.labels [input_match_device_is_ejectable] |
|
input.match.event.device.isEncrypted |
target.asset.attribute.labels [input_match_device_is_encrypted] |
|
input.match.event.device.isEncryptable |
target.asset.attribute.labels [input_match_device_is_encryptable] |
|
input.match.event.device.devicePath |
target.asset.attribute.labels [input_match_device_path] |
|
input.match.event.device.bsdName |
target.asset.attribute.labels [input_match_device_bsd_name] |
|
input.match.event.device.vendorId |
target.asset.attribute.labels [input_match_device_vendor_id] |
|
input.match.event.device.content |
target.asset.attribute.labels [input_match_device_content] |
|
input.match.event.device.revision |
target.asset.attribute.labels [input_match_device_revision] |
|
input.match.event.device.size |
target.asset.attribute.labels [input_match_device_size] |
|
input.match.event.device.isNetworkVolume |
target.asset.attribute.labels [input_match_device_is_network_volume] |
|
input.match.event.device.blocksize |
target.asset.attribute.labels [input_match_device_block_size] |
|
input.match.event.device.productName |
target.asset.attribute.labels [input_match_device_product_name] |
|
input.match.event.device.mediaKind |
target.asset.attribute.labels [input_match_device_media_kind] |
|
input.match.event.device.isWritable |
target.asset.attribute.labels [input_match_device_is_writable] |
|
input.match.event.device.productId |
target.asset.product_object_id |
|
input.match.event.device.productId |
target.asset.asset_id |
The Asset Id: input.match.event.device.productId log field is mapped to the target.asset.asset_id UDM field. |
input.match.event.device.deviceClass |
target.asset.category |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_device_encryption_detail] |
|
input.match.event.device.volumeKind |
target.asset.attribute.labels [input_match_event_device_volume_kind] |
|
input.match.event.device.volumeName |
target.asset.attribute.labels [input_match_event_device_volume_name] |
|
input.match.event.device.volumeType |
target.asset.attribute.labels [input_match_event_device_volume_type] |
|
input.match.event.device.isMountable |
target.asset.attribute.labels [input_match_event_device_is_mountable] |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_event_device_encryption_detail] |
|
input.match.event.fsid |
principal.labels [input_match_event_fsid] |
|
input.match.event.bfree |
principal.labels[input_match_event_bfree] (deprecated) |
|
input.match.event.bfree |
additional.fields[input_match_event_bfree] |
|
input.match.event.bsize |
principal.labels[input_match_event_bsize] (deprecated) |
|
input.match.event.bsize |
additional.fields[input_match_event_bsize] |
|
input.match.event.ffree |
principal.labels[input_match_event_ffree] (deprecated) |
|
input.match.event.ffree |
additional.fields[input_match_event_ffree] |
|
input.match.event.files |
principal.labels[input_match_event_files] (deprecated) |
|
input.match.event.files |
additional.fields[input_match_event_files] |
|
input.match.event.flags |
principal.labels[input_match_event_flags] (deprecated) |
|
input.match.event.flags |
additional.fields[input_match_event_flags] |
|
input.match.event.owner |
principal.user.user_display_name |
|
input.match.event.bavail |
principal.labels[input_match_event_bvail] (deprecated) |
|
input.match.event.bavail |
additional.fields[input_match_event_bvail] |
|
input.match.event.blocks |
principal.labels[input_match_event_blocks] (deprecated) |
|
input.match.event.blocks |
additional.fields[input_match_event_blocks] |
|
input.match.event.iosize |
principal.labels[input_match_event_iosize] (deprecated) |
|
input.match.event.iosize |
additional.fields[input_match_event_iosize] |
|
input.match.event.version |
principal.labels[input_match_event_version] (deprecated) |
|
input.match.event.version |
additional.fields[input_match_event_version] |
|
input.match.event.deadline |
principal.labels[input_match_event_deadline] (deprecated) |
|
input.match.event.deadline |
additional.fields[input_match_event_deadline] |
|
input.match.event.flagsExt |
principal.labels[input_match_event_flags_ext] (deprecated) |
|
input.match.event.flagsExt |
additional.fields[input_match_event_flags_ext] |
|
input.match.event.fsSubType |
principal.labels[input_match_event_fs_subtype] (deprecated) |
|
input.match.event.fsSubType |
additional.fields[input_match_event_fs_subtype] |
|
input.match.event.mntOnName |
principal.labels[input_match_event_mnt_on_name] (deprecated) |
|
input.match.event.mntOnName |
additional.fields[input_match_event_mnt_on_name] |
|
input.match.event.fsTypeName |
principal.labels[input_match_event_fs_type_name] (deprecated) |
|
input.match.event.fsTypeName |
additional.fields[input_match_event_fs_type_name] |
|
input.match.event.isReadOnly |
principal.labels[input_match_event_is_read_only] (deprecated) |
|
input.match.event.isReadOnly |
additional.fields[input_match_event_is_read_only] |
|
input.match.event.mntFromName |
principal.labels[input_match_event_mnt_from_name] (deprecated) |
|
input.match.event.mntFromName |
additional.fields[input_match_event_mnt_from_name] |
|
input.match.event.machTimestamp |
principal.labels[input_match_event_mach_timestamp] (deprecated) |
|
input.match.event.machTimestamp |
additional.fields[input_match_event_mach_timestamp] |
|
input.match.event.sequenceNumber |
principal.labels[input_match_event_seq_number] (deprecated) |
|
input.match.event.sequenceNumber |
additional.fields[input_match_event_seq_number] |
|
input.match.event.globalSequenceNumber |
principal.labels[input_match_event_global_seq_number] (deprecated) |
|
input.match.event.globalSequenceNumber |
additional.fields[input_match_event_global_seq_number] |