Raccogli i log di Jamf Protect
Questo documento descrive come raccogliere i log di Jamf Protect configurando un servizio di sicurezza di Google e come i campi del log vengono mappati ai campi del modello Unified Data Model (UDM) di Google Security Operations. In questo documento è indicata anche la versione di Jamf Protect supportata.
Per saperne di più, consulta Importazione dei dati in Google Security Operations.
Un deployment tipico è costituito da Jamf Protect e dal feed di Google Security Operations configurato per inviare i log a Google Security Operations. L'implementazione di ogni cliente può essere diversa e potrebbe essere complessi.
Il deployment contiene i seguenti componenti:
Jamf Protect. La piattaforma Jamf Protect da cui raccogli i log.
Feed di Google Security Operations. Il feed di Google Security Operations che recupera i log da Jamf Protect e scrive i log in Google Security Operations.
Google Security Operations. Google Security Operations conserva e analizza i log di Jamf Protect.
Un'etichetta di importazione identifica il parser che normalizza i dati di log non elaborati
in formato UDM strutturato. Le informazioni in questo documento si applicano al parser
con l'etichetta di importazione JAMF_PROTECT
.
Prima di iniziare
- Assicurati di utilizzare Jamf Protect versione 4.0.0 o successiva.
- Assicurati che tutti i sistemi nell'architettura di deployment siano configurati con il fuso orario UTC.
Configura un feed in Google Security Operations per importare i log di Jamf Protect
Puoi utilizzare Amazon S3 o un webhook per configurare un feed di importazione in Google Security Operations, ma ti consigliamo di utilizzare Amazon S3.
configura un feed di importazione utilizzando Amazon S3
- Dal menu Google Security Operations, seleziona Impostazioni, quindi fai clic su Feed.
- Fai clic su Add New (Aggiungi nuovo).
- Seleziona Amazon S3 come Tipo di origine.
- Per creare un feed per Jamf Protect, seleziona Avvisi di Jamf Protect come Tipo di log.
- Fai clic su Avanti.
- Salva il feed e poi fai clic su Invia.
- Copia l'ID feed dal nome del feed per utilizzarlo in Jamf Protect.
Configurare un feed di importazione utilizzando un webhook
- Dal menu Google Security Operations, seleziona Impostazioni, quindi fai clic su Feed.
- Fai clic su Aggiungi nuovo.
- Nel campo Nome feed, inserisci un nome per il feed.
- Nell'elenco Tipo di origine, seleziona Webhook.
- Per creare un feed per Jamf Protect, seleziona Avvisi di Jamf Protect come Tipo di log.
- Fai clic su Avanti.
- (Facoltativo) Specifica i valori per i seguenti parametri di input:
- Delimitatore di suddivisione: il delimitatore utilizzato per separare le righe di log, ad esempio
\n
. - Spazio dei nomi asset: lo spazio dei nomi degli asset.
- Etichette di importazione: l'etichetta da applicare agli eventi da questo feed.
- Delimitatore di suddivisione: il delimitatore utilizzato per separare le righe di log, ad esempio
- Fai clic su Avanti.
- Esamina la nuova configurazione del feed nella schermata Finalizza e poi fai clic su Invia.
- Fai clic su Generate Secret Key (Genera chiave segreta) per generare una chiave segreta per autenticare questo feed.
- Copia e memorizza la chiave segreta perché non sarà più possibile visualizzarla. Puoi generare una nuova chiave segreta, ma la rigenerazione della chiave la chiave segreta precedente è obsoleta.
- Nella scheda Details, copia l'URL dell'endpoint del feed dal campo Informazioni endpoint. Devi specificare l'URL di questo endpoint nell'applicazione Jamf Protect Alerts.
- Fai clic su Fine.
- Specifica l'URL dell'endpoint in Jamf Protect.
Per ulteriori informazioni sui feed di Google Security Operations, consulta la documentazione sui feed di Google Security Operations. Per informazioni sui requisiti di ogni tipo di feed, consulta la sezione Configurazione dei feed per tipo.
Se riscontri problemi durante la creazione dei feed, contatta l'assistenza Google Security Operations.
Tipi di log di Jamf Protect supportati
Nella tabella seguente sono elencati i tipi di log supportati dall'analizzatore sintattico Jamf Protect:
Tipo di evento | Nome visualizzato |
---|---|
GPClickEvent | Eventi di clic sintetici |
GPDownloadEvent | Scarica gli eventi |
GPFSEvent | Eventi file system |
GPGatekeeperEvent | Eventi di gatekeeper |
GPKeylogRegisterEvent | Eventi keylogger |
GPMRTEvent | Monitora gli eventi |
GPPreventedExecutionEvent | Eventi elenco di prevenzione personalizzati |
GPProcessEvent | Elabora eventi |
GPThreatMatchExecEvent | Eventi di prevenzione delle minacce |
GPUSBEvent | Eventi USB |
GPUnifiedLogEvent | Eventi log unificati |
Montaggio automatico | Eventi del controllo dei dispositivi |
Riferimento per la mappatura dei campi
Questa sezione spiega in che modo l'analizzatore sintattico di Google Security Operations mappa i campi Jamf Protect ai campi UDM (Google Security Operations Unified Data Model).
Riferimento per la mappatura dei campi: da identificatore evento a tipo di evento
Nella tabella seguente sono elencati i tipi di logJAMF_PROTECT
e i tipi di eventi UDM corrispondenti.
Event Identifier | Event Type |
---|---|
GPClickEvent |
SCAN_UNCATEGORIZED |
GPDownloadEvent |
SCAN_FILE |
GPFSEvent |
SCAN_FILE |
GPGatekeeperEvent |
SCAN_UNCATEGORIZED |
GPKeylogRegisterEvent |
SCAN_UNCATEGORIZED |
GPMRTEvent |
SCAN_UNCATEGORIZED |
GPPreventedExecutionEvent |
SCAN_UNCATEGORIZED |
GPProcessEvent |
SCAN_PROCESS |
GPThreatMatchExecEvent |
SCAN_UNCATEGORIZED |
GPUSBEvent |
SCAN_UNCATEGORIZED |
GPUnifiedLogEvent |
SCAN_UNCATEGORIZED |
Auth-mount |
SCAN_UNCATEGORIZED |
Riferimento per la mappatura dei campi: JAMF_PROTECT
La seguente tabella elenca i campi del log del tipo di logJAMF_PROTECT
e i campi UDM corrispondenti.
Log field | UDM mapping | Logic |
---|---|---|
|
about.platform |
The about.platform UDM field is set to MAC . |
caid |
about.labels[caid] (deprecated) |
|
caid |
additional.fields[caid] |
|
certid |
principal.asset.attribute.labels [certid] |
|
context.identity.claims.certid |
principal.user.attribute.permissions.description |
|
context.identity.claims.clientid |
principal.user.attribute.labels [context_identity_claims_clientid] |
|
input.eventType |
metadata.product_event_type |
|
input.host.hostname |
principal.hostname |
|
input.host.ips |
principal.ip |
|
input.host.provisioningUDID |
principal.asset.product_object_id |
|
input.host.serial |
principal.asset.hardware.serial_number |
|
input.match.actions.name |
security_result.outcomes [input_match_actions_name] |
|
input.match.actions.parameters.message |
security_result.summary |
If the index value is equal to 0 , then the input.match.actions.parameters.message log field is mapped to the security_result.summary UDM field.Else, the input.match.actions.parameters.message log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.actions.parameters.title |
security_result.description |
If the index value is equal to 0 , then the input.match.actions.parameters.title log field is mapped to the security_result.description UDM field.Else, the input.match.actions.parameters.title log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.context.name |
security_result.detection_fields.key |
|
input.match.context.value |
security_result.detection_fields.value [Name] |
|
input.match.context.valueType |
|
|
input.match.custom |
security_result.detection_fields [input_match_custom] |
|
input.match.event.blocked |
security_result.action |
If the input.match.event.blocked log field value is not empty, then the security_result.action UDM field is set to BLOCK . |
context.identity.claims.hd, input.match.uuid |
security_result.url_back_to_product |
The security_result.url_back_to_product UDM field is set to https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid . |
input.match.event.category |
security_result.category_details |
|
input.match.event.clickType |
principal.labels[input_match_event_click_type] (deprecated) |
If the input.match.event.clickType log field value is equal to 0 , then the principal.labels.value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the principal.labels.value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the principal.labels.value UDM field is set to 4 - Right Up . |
input.match.event.clickType |
additional.fields[input_match_event_click_type] |
If the input.match.event.clickType log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Right Up . |
input.match.event.composedMessage |
principal.labels[input_match_event_composed_message] (deprecated) |
|
input.match.event.composedMessage |
additional.fields[input_match_event_composed_message] |
|
input.match.event.dev |
principal.labels[input_match_event_dev] (deprecated) |
|
input.match.event.dev |
additional.fields[input_match_event_dev] |
|
input.match.event.eventID |
principal.labels[input_match_event_eventID] (deprecated) |
|
input.match.event.eventID |
additional.fields[input_match_event_eventID] |
|
input.match.event.gid |
principal.user.group_identifiers |
|
input.match.event.iNode |
target.file.stat_inode |
|
input.match.event.matchType |
principal.labels[input_match_event_match_type] (deprecated) |
|
input.match.event.matchType |
additional.fields[input_match_event_match_type] |
|
input.match.event.matchValue |
security_result.threat_name |
If the input.match.event.matchType log field value is not empty, then the input.match.event.matchValue log field is mapped to the security_result.threat_name UDM field. |
input.match.event.name |
about.labels[input_match_event_name] (deprecated) |
|
input.match.event.name |
additional.fields[input_match_event_name] |
|
input.match.facts.name |
metadata.description |
If the index value is equal to 0 , then the input.match.facts.name log field is mapped to the metadata.description UDM field. |
input.match.event.path |
target.process.file.full_path |
|
input.match.event.pid |
principal.process.pid |
|
input.match.event.prevFile |
src.file.full_path |
If the input.match.event.prevFile log field value is not empty, then the input.match.event.prevFile log field is mapped to the src.file.full_path UDM field. |
input.match.event.process |
principal.process.file.names |
|
input.match.event.process.args |
target.process.command_line_history |
|
input.match.event.process.gid |
target.group.product_object_id |
|
input.match.event.process.name |
target.process.file.names |
|
input.match.event.process.originalParentPID |
target.process.parent_process.pid |
|
input.match.event.process.path |
target.process.file.full_path |
|
input.match.event.process.pgid |
target.labels[input_match_event_processes_pgid] (deprecated) |
|
input.match.event.process.pgid |
additional.fields[input_match_event_processes_pgid] |
|
input.match.event.process.pid |
target.process.pid |
|
input.match.event.process.ppid |
target.labels[input_match_event_process_ppid] (deprecated) |
|
input.match.event.process.ppid |
additional.fields[input_match_event_process_ppid] |
|
input.match.event.process.responsiblePID |
target.labels[input_match_event_process_responsible_pid] (deprecated) |
|
input.match.event.process.responsiblePID |
additional.fields[input_match_event_process_responsible_pid] |
|
input.match.event.process.rgid |
target.labels[input_match_event_process_rgid] (deprecated) |
|
input.match.event.process.rgid |
additional.fields[input_match_event_process_rgid] |
|
input.match.event.process.ruid |
target.labels[input_match_event_process_ruid] (deprecated) |
|
input.match.event.process.ruid |
additional.fields[input_match_event_process_ruid] |
|
input.match.event.process.signingInfo.appid |
target.user.attribute.labels [input_match_event_process_sign_appid] |
|
input.match.event.process.signingInfo.authorities |
target.user.attribute.permissions |
|
input.match.event.process.signingInfo.cdhash |
target.user.attribute.labels [input_match_event_process_sign_cdhash] |
|
input.match.event.process.signingInfo.entitlements |
target.user.attributes.permissions |
|
input.match.event.process.signingInfo.signerType |
target.user.attribute.labels [input_match_event_process_sign_signer_type] |
If the input.related.process.signingInfo.signerType log field value is equal to 0 , then the target.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.process.signingInfo.signerType log field value is equal to 1 , then the target.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.process.signingInfo.signerType log field value is equal to 2 , then the target.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.process.signingInfo.signerType log field value is equal to 3 , then the target.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.process.signingInfo.signerType log field value is equal to 4 , then the target.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.match.event.process.signingInfo.status |
target.user.attribute.labels [input_match_event_process_sign_status] |
|
input.match.event.process.signingInfo.statusMessage |
target.labels[input_match_event_process_sign_status_message] (deprecated) |
|
input.match.event.process.signingInfo.statusMessage |
additional.fields[input_match_event_process_sign_status_message] |
|
input.match.event.process.signingInfo.teamid |
target.user.group_identifiers |
|
input.match.event.process.startTimestamp |
target.labels[input_match_event_process_start_time_stamp] (deprecated) |
|
input.match.event.process.startTimestamp |
additional.fields[input_match_event_process_start_time_stamp] |
|
input.match.event.process.uid |
target.labels[input_match_event_process_uid] (deprecated) |
|
input.match.event.process.uid |
additional.fields[input_match_event_process_uid] |
|
input.match.event.process.uuid |
target.process.product_specific_process_id |
The Process Uuid: input.match.event.process.uuid log field is mapped to the target.process.product_specific_process_id UDM field. |
input.match.event.processIdentifier |
target.process.pid |
|
input.match.event.processImagePath |
target.process.file.full_path |
|
input.match.event.rateLimitingSecs |
principal.labels[input_match_event_rate_limiting_secs] (deprecated) |
|
input.match.event.rateLimitingSecs |
additional.fields[input_match_event_rate_limiting_secs] |
|
input.match.event.scriptPath |
principal.labels[input_match_event_script_path] (deprecated) |
|
input.match.event.scriptPath |
additional.fields[input_match_event_script_path] |
|
input.match.event.sender |
principal.labels[input_match_event_sender] (deprecated) |
|
input.match.event.sender |
additional.fields[input_match_event_sender] |
|
input.match.event.senderImagePath |
principal.labels[input_match_event_sender_image_path] (deprecated) |
|
input.match.event.senderImagePath |
additional.fields[input_match_event_sender_image_path] |
|
input.match.event.subsystem |
principal.labels[input_match_event_subsystem] (deprecated) |
|
input.match.event.subsystem |
additional.fields[input_match_event_subsystem] |
|
input.match.event.subType |
principal.labels[input_match_event_sub_type] (deprecated) |
If the input.match.event.subType log field value is equal to 7 , then the principal.labels.value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the principal.labels.value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the principal.labels.value UDM field is set to 43190 - Posix Spawn . |
input.match.event.subType |
additional.fields[input_match_event_sub_type] |
If the input.match.event.subType log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the additional.fields.value.string_value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the additional.fields.value.string_value UDM field is set to 43190 - Posix Spawn . |
input.match.event.tags |
security_result.rule_labels [input_match_event_tags] |
|
input.match.event.targetpid |
target.process.pid |
|
input.match.event.timestamp |
metadata.event_timestamp |
|
input.match.event.type |
target.labels[input_match_event_type] (deprecated) |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the target.labels.value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the target.labels.value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the target.labels.value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the target.labels.value UDM field is set to 0 - Exit . |
input.match.event.type |
additional.fields[input_match_event_type] |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 0 - Exit . |
input.match.event.uid |
principal.user.userid |
|
input.match.event.uuid |
about.labels[input_match_event_uuid] (deprecated) |
|
input.match.event.uuid |
additional.fields[input_match_event_uuid] |
|
input.match.facts.actions.name |
security_result.action_details |
If the index value is equal to 0 , then the input.match.facts.actions.name log field is mapped to the security_result.action_details UDM field.Else, the input.match.facts.actions.name log field is mapped to the security_result.about.labels.value UDM field. |
input.match.facts.actions.parameters.id |
security_result.detection_fields [input_match_facts_actions_parameters_id] |
|
input.match.facts.actions.parameters.message |
security_result.detection_fields [input_match_facts_actions_parameters_message] |
|
input.match.facts.actions.parameters.title |
security_result.detection_fields [input_match_facts_actions_parameters_title] |
|
input.match.facts.context.name |
security_result.detection_fields.key |
|
input.match.facts.context.value |
security_result.detection_fields.value [Name] |
|
input.match.facts.context.valueType |
|
|
input.match.facts.human |
security_result.action |
If the input.match.facts.human log field value is matched with regex (?i)blocked , then the security_result.action UDM field is set to BLOCK . |
input.match.facts.human |
security_result.description |
If the index value is equal to 0 , then the input.match.facts.human log field is mapped to the security_result.description UDM field.Else, the input.match.facts.human log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.name |
security_result.summary |
If the index value is equal to 0 , then the input.match.facts.name log field is mapped to the security_result.summary UDM field.Else, the input.match.facts.name log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.severity |
security_result.detection_fields [input_match_facts_severity] |
|
input.match.facts.tags |
security_result.rule_labels [input_match_facts_tags] |
|
input.match.facts.uuid |
about.labels [input_match_facts_uuid] |
|
input.match.facts.version |
about.labels [input_match_facts_version] |
|
input.match.severity |
security_result.severity |
If the severity log field value is equal to 0 , then the security_result.severity UDM field is set to INFORMATIONAL .Else, if the severity log field value is equal to 1 , then the security_result.severity UDM field is set to LOW .Else, if the severity log field value is equal to 2 , then the security_result.severity UDM field is set to MEDIUM .Else, if the severity log field value is equal to 3 , then the security_result.severity UDM field is set to HIGH . |
input.match.tags |
security_result.rule_labels [input_match_tags] |
|
input.match.uuid |
metadata.product_log_id |
|
input.related.binaries.accessed |
security_result.about.labels [input_related_binaries_accessed] |
|
input.related.binaries.changed |
security_result.about.labels [input_related_binaries_changed] |
|
input.related.binaries.created |
security_result.about.file.first_seen_time |
If the index value is equal to 0 , then the input.related.binaries.created log field is mapped to the security_result.about.file.first_seen_time UDM field.Else, the input.related.binaries.created log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.fsid |
security_result.about.labels [input_related_binaries_fsid] |
|
input.related.binaries.gid |
security_result.about.labels [input_related_binaries_gid] |
|
input.related.binaries.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.binaries.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.binaries.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.isAppBundle |
security_result.about.labels [isAppBundle] |
|
input.related.binaries.isDirectory |
security_result.about.labels [isDirectory] |
|
input.related.binaries.isDownload |
security_result.about.labels [isDownload] |
|
input.related.binaries.isScreenShot |
security_result.about.labels [isScreenShot] |
|
input.related.binaries.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.binaries.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.binaries.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.binaries.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.binaries.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.binaries.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.binaries.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.binaries.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.binaries.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.binaries.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.binaries.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.binaries.signingInfo.cdhash |
security_result.about.labels [input_related_binaries_sign_cdhash] |
|
input.related.binaries.signingInfo.entitlements |
security_result.about.user.attribute.permisisons |
|
input.related.binaries.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type] |
If the input.related.binaries.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.binaries.signingInfo.status |
security_result.about.user.attribute.labels [input_related_binaries_sign_status] |
|
input.related.binaries.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.binaries.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.size |
security_result.about.file.size |
If the index value is equal to 0 , then the input.related.binaries.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.binaries.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.binaries.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.binaries.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.xattrs |
security_result.about.user.attribute.labels [input_related_binaries_xattrs] |
|
input.related.files.accessed |
security_result.about.labels [input_related_files_accessed] |
|
input.related.files.changed |
security_result.about.labels [input_related_files_changed] |
|
input.related.files.created |
security_result.about.labels [input_related_files_created] |
|
input.related.files.downloadedFrom |
security_result.about.labels [input_related_files_downloaded_from] |
|
input.related.files.fsid |
security_result.about.labels [input_related_files_downloaded_fsid] |
|
input.related.files.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.files.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.files.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.files.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.files.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.isAppBundle |
security_result.about.labels [input_related_files_downloaded_is_app_bundle] |
|
input.related.files.isDirectory |
security_result.about.labels [input_related_files_is_directory] |
|
input.related.files.isDownload |
security_result.about.labels [input_related_files_is_download] |
|
input.related.files.isScreenShot |
security_result.about.labels [input_related_files_is_screenshot] |
|
input.related.files.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.files.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.files.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.files.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.files.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.files.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.files.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.files.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.files.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.files.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.files.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.files.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.files.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.cdhash |
security_result.about.labels [[input_related_files_sign_cdhash] |
|
input.related.files.signingInfo.entitlements |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type] |
If the input.related.files.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.files.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.files.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.files.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.files.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.files.signingInfo.status |
security_result.about.user.attribute.labels [input_related_files_signing_info_status] |
|
input.related.files.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_files_signing_info_status_message] |
|
input.related.files.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.size |
security_result.about.file.size |
If the index value is equal to 0 , then if the input.related.files.size log field value is not equal to 0 , then the input.related.files.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.files.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.files.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.files.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.xattrs |
security_result.about.labels [input_related_files_xattrs] |
|
input.related.groups.gid |
security_result.about.group.attribute.labels [input_related_groups_gid] |
|
input.related.groups.name |
security_result.about.group.group_display_name |
If the index value is equal to 0 , then the input.related.groups.name log field is mapped to the security_result.about.group.group_display_name UDM field.Else, the input.related.groups.name log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.groups.uuid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.groups.uuid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.groups.uuid log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.processes.appPath |
security_result.about.labels [input_related_processes_app_path] |
|
input.related.processes.args |
security_result.about.process.command_line_history |
|
input.related.processes.exitCode |
security_result.about.labels [input_related_processes_exit_code] |
|
input.related.processes.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.processes.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.processes.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.name |
security_result.about.process.file.names |
|
input.related.processes.originalParentPID |
security_result.about.process.parent_process.pid |
If the index value is equal to 0 , then the input.related.processes.originalParentPID log field is mapped to the security_result.about.process.parent_process.pid UDM field.Else, the input.related.processes.originalParentPID log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.path |
security_result.about.process.file.full_path |
If the index value is equal to 0 , then the input.related.processes.path log field is mapped to the security_result.about.process.file.full_path UDM field.Else, the input.related.processes.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.pgid |
security_result.about.labels [input_related_process_pgid] |
|
input.related.processes.pid |
security_result.about.process.pid |
If the index value is equal to 0 , then the input.related.processes.pid log field is mapped to the security_result.about.process.pid UDM field.Else, the input.related.processes.pid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.ppid |
security_result.about.labels [input_related_processes_ppid] |
|
input.related.processes.responsiblePID |
security_result.about.labels [input_related_processes_responsible_pid] |
|
input.related.processes.rgid |
security_result.about.labels [input_related_processes_rgid] |
|
input.related.processes.ruid |
security_result.about.labels [input_related_processes_ruid] |
|
input.related.processes.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.signingInfo.authorities |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.cdhash |
security_result.about.user.attribute.labels [input_related_processes_sign_cdhash] |
|
input.related.processes.signingInfo.entitlements |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_processes_sign_signer_type] |
If the input.related.processes.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.processes .signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.processes.signingInfo.status |
security_result.about.user.attribute.labels [input_related_processes_sign_status] |
|
input.related.processes.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.processes.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.startTimestamp |
security_result.about.labels [input_related_processes_start_time_stamp] |
|
input.related.processes.tty |
security_result.about.labels [input_related_processes_tty] |
|
input.related.processes.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.processes.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.processes.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.processes.uuid |
security_result.about.process.product_specific_process_id |
If the index value is equal to 0 , then the Process Uuid: input.related.processes.uuid log field is mapped to the security_result.about.process.product_specific_process_id UDM field.Else, the input.related.processes.uuid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.users.name |
security_result.about.user.user_display_name |
If the index value is equal to 0 , then the input.related.users.name log field is mapped to the security_result.about.user.user_display_name UDM field.Else, the input.related.users.name log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.users.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.users.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uuid |
security_result.about.user.product_object_id |
If the index value is equal to 0 , then the input.related.users.uuid log field is mapped to the security_result.about.user.product_object_id UDM field.Else, the input.related.users.uuid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
key |
about.labels[key] (deprecated) |
|
key |
additional.fields[key] |
|
path |
target.file.full_path |
If the index value is equal to 0 , then the path log field is mapped to the target.file.full_path UDM field.Else, the path log field is mapped to the target.labels.value UDM field. |
queue |
principal.labels[queue] (deprecated) |
|
queue |
additional.fields[queue] |
|
region |
principal.location.name |
|
timestamp |
metadata.creation_timestamp |
|
topic |
about.labels[topic] (deprecated) |
|
topic |
additional.fields[topic] |
|
topicType |
about.labels[topicType] (deprecated) |
|
topicType |
additional.fields[topicType] |
|
version |
metadata.product_version |
|
|
is_alert |
The is_alert UDM field is set to TRUE . |
|
is_significant |
The is_significant UDM field is set to TRUE . |
input.eventType |
metadata.event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_PROTECT . |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF . |
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to STORAGE_BUCKET . |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to STORAGE_BUCKET . |
input.match.event.options |
about.labels[input_match_event_options] (deprecated) |
|
input.match.event.options |
additional.fields[input_match_event_options] |
|
input.match.event.sourcePID |
principal.process.pid |
|
input.match.event.destinationPID |
target.process.pid |
|
image.match.event.detection |
security_result.detection_fields [image_match_event_detection] |
|
input.match.type |
target.asset.attribute.labels [input_match_type] |
If the input.match.type log field value is equal to 0 , then the target.asset.attribute.labels.value UDM field is set to 0 - Device Inserted .Else, if the input.match.type log field value is equal to 1 , then the target.asset.attribute.labels.value UDM field is set to 1 - Device Removed . |
input.match.usbAddress |
target.asset.attribute.labels [input_match_usb_address] |
|
input.match.event.device.mediaPath |
target.asset.attribute.labels [input_match_device_media_path] |
|
input.match.event.device.protocol |
target.asset.attribute.labels [input_match_device_protocol] |
|
input.match.event.device.deviceModel |
target.asset.hardware.model |
|
input.match.event.device.isRemovable |
target.asset.attribute.labels [input_match_device_is_removable] |
|
input.match.event.device.mediaName |
target.asset.attribute.labels [input_match_device_media_name] |
|
input.match.event.device.bsdMinor |
target.asset.attribute.labels [input_match_device_bsd_minor] |
|
input.match.event.device.vendorName |
target.asset.software.vendor_name |
|
input.match.event.device.isWhole |
target.asset.attribute.labels [input_match_device_is_whole] |
|
input.match.event.device.unit |
target.asset.attribute.labels [input_match_device_unit] |
|
input.match.event.device.deviceSubclass |
target.asset.attribute.labels [input_match_device_subclass] |
|
input.match.event.device.serialNumber |
target.asset.hardware.serial |
|
input.match.event.device.bsdUnit |
target.asset.attribute.labels [input_match_device_bsd_unit] |
|
input.match.event.device.busPath |
target.asset.attribute.labels [input_match_device_bus_path] |
|
input.match.event.device.isLeaf |
target.asset.attribute.labels [input_match_device_is_leaf] |
|
input.match.event.device.isInternal |
target.asset.attribute.labels [input_match_device_is_internal] |
|
input.match.event.device.busName |
target.asset.attribute.labels [input_match_device_bus_name] |
|
input.match.event.device.bsdMajor |
target.asset.attribute.labels [input_match_device_bsd_major] |
|
input.match.event.device.isEjectable |
target.asset.attribute.labels [input_match_device_is_ejectable] |
|
input.match.event.device.isEncrypted |
target.asset.attribute.labels [input_match_device_is_encrypted] |
|
input.match.event.device.isEncryptable |
target.asset.attribute.labels [input_match_device_is_encryptable] |
|
input.match.event.device.devicePath |
target.asset.attribute.labels [input_match_device_path] |
|
input.match.event.device.bsdName |
target.asset.attribute.labels [input_match_device_bsd_name] |
|
input.match.event.device.vendorId |
target.asset.attribute.labels [input_match_device_vendor_id] |
|
input.match.event.device.content |
target.asset.attribute.labels [input_match_device_content] |
|
input.match.event.device.revision |
target.asset.attribute.labels [input_match_device_revision] |
|
input.match.event.device.size |
target.asset.attribute.labels [input_match_device_size] |
|
input.match.event.device.isNetworkVolume |
target.asset.attribute.labels [input_match_device_is_network_volume] |
|
input.match.event.device.blocksize |
target.asset.attribute.labels [input_match_device_block_size] |
|
input.match.event.device.productName |
target.asset.attribute.labels [input_match_device_product_name] |
|
input.match.event.device.mediaKind |
target.asset.attribute.labels [input_match_device_media_kind] |
|
input.match.event.device.isWritable |
target.asset.attribute.labels [input_match_device_is_writable] |
|
input.match.event.device.productId |
target.asset.product_object_id |
|
input.match.event.device.productId |
target.asset.asset_id |
The Asset Id: input.match.event.device.productId log field is mapped to the target.asset.asset_id UDM field. |
input.match.event.device.deviceClass |
target.asset.category |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_device_encryption_detail] |
|
input.match.event.device.volumeKind |
target.asset.attribute.labels [input_match_event_device_volume_kind] |
|
input.match.event.device.volumeName |
target.asset.attribute.labels [input_match_event_device_volume_name] |
|
input.match.event.device.volumeType |
target.asset.attribute.labels [input_match_event_device_volume_type] |
|
input.match.event.device.isMountable |
target.asset.attribute.labels [input_match_event_device_is_mountable] |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_event_device_encryption_detail] |
|
input.match.event.fsid |
principal.labels [input_match_event_fsid] |
|
input.match.event.bfree |
principal.labels[input_match_event_bfree] (deprecated) |
|
input.match.event.bfree |
additional.fields[input_match_event_bfree] |
|
input.match.event.bsize |
principal.labels[input_match_event_bsize] (deprecated) |
|
input.match.event.bsize |
additional.fields[input_match_event_bsize] |
|
input.match.event.ffree |
principal.labels[input_match_event_ffree] (deprecated) |
|
input.match.event.ffree |
additional.fields[input_match_event_ffree] |
|
input.match.event.files |
principal.labels[input_match_event_files] (deprecated) |
|
input.match.event.files |
additional.fields[input_match_event_files] |
|
input.match.event.flags |
principal.labels[input_match_event_flags] (deprecated) |
|
input.match.event.flags |
additional.fields[input_match_event_flags] |
|
input.match.event.owner |
principal.user.user_display_name |
|
input.match.event.bavail |
principal.labels[input_match_event_bvail] (deprecated) |
|
input.match.event.bavail |
additional.fields[input_match_event_bvail] |
|
input.match.event.blocks |
principal.labels[input_match_event_blocks] (deprecated) |
|
input.match.event.blocks |
additional.fields[input_match_event_blocks] |
|
input.match.event.iosize |
principal.labels[input_match_event_iosize] (deprecated) |
|
input.match.event.iosize |
additional.fields[input_match_event_iosize] |
|
input.match.event.version |
principal.labels[input_match_event_version] (deprecated) |
|
input.match.event.version |
additional.fields[input_match_event_version] |
|
input.match.event.deadline |
principal.labels[input_match_event_deadline] (deprecated) |
|
input.match.event.deadline |
additional.fields[input_match_event_deadline] |
|
input.match.event.flagsExt |
principal.labels[input_match_event_flags_ext] (deprecated) |
|
input.match.event.flagsExt |
additional.fields[input_match_event_flags_ext] |
|
input.match.event.fsSubType |
principal.labels[input_match_event_fs_subtype] (deprecated) |
|
input.match.event.fsSubType |
additional.fields[input_match_event_fs_subtype] |
|
input.match.event.mntOnName |
principal.labels[input_match_event_mnt_on_name] (deprecated) |
|
input.match.event.mntOnName |
additional.fields[input_match_event_mnt_on_name] |
|
input.match.event.fsTypeName |
principal.labels[input_match_event_fs_type_name] (deprecated) |
|
input.match.event.fsTypeName |
additional.fields[input_match_event_fs_type_name] |
|
input.match.event.isReadOnly |
principal.labels[input_match_event_is_read_only] (deprecated) |
|
input.match.event.isReadOnly |
additional.fields[input_match_event_is_read_only] |
|
input.match.event.mntFromName |
principal.labels[input_match_event_mnt_from_name] (deprecated) |
|
input.match.event.mntFromName |
additional.fields[input_match_event_mnt_from_name] |
|
input.match.event.machTimestamp |
principal.labels[input_match_event_mach_timestamp] (deprecated) |
|
input.match.event.machTimestamp |
additional.fields[input_match_event_mach_timestamp] |
|
input.match.event.sequenceNumber |
principal.labels[input_match_event_seq_number] (deprecated) |
|
input.match.event.sequenceNumber |
additional.fields[input_match_event_seq_number] |
|
input.match.event.globalSequenceNumber |
principal.labels[input_match_event_global_seq_number] (deprecated) |
|
input.match.event.globalSequenceNumber |
additional.fields[input_match_event_global_seq_number] |