Cette page a été traduite par l'API Cloud Translation.

Collecter les journaux Jamf Protect

Compatible avec :

Google SecOps SIEM

Ce document explique comment collecter les journaux Jamf Protect en configurant un flux Google Security Operations et comment les champs de journaux sont mappés aux champs du modèle de données unifié (UDM) Google Security Operations. Ce document liste également la version Jamf Protect compatible.

Pour en savoir plus, consultez Ingestion de données dans Google Security Operations.

Un déploiement type se compose de Jamf Protect et du flux Google Security Operations configuré pour envoyer des journaux à Google Security Operations. Chaque déploiement client peut être différent et plus complexe.

Le déploiement contient les composants suivants :

Jamf Protect Plate-forme Jamf Protect à partir de laquelle vous collectez les journaux.
Flux Google Security Operations Flux Google Security Operations qui récupère les journaux de Jamf Protect et les écrit dans Google Security Operations.
Google Security Operations Google Security Operations conserve et analyse les journaux de Jamf Protect.

Un libellé d'ingestion identifie l'analyseur qui normalise les données de journaux brutes au format UDM structuré. Les informations de ce document s'appliquent au parseur avec le libellé d'ingestion JAMF_PROTECT.

Avant de commencer

Assurez-vous de remplir les conditions préalables suivantes :

Une configuration Jamf Protect
Jamf Protect version 4.0.0 ou ultérieure
Tous les systèmes de l'architecture de déploiement sont configurés avec le fuseau horaire UTC.

Configurer des flux

Il existe deux points d'entrée différents pour configurer les flux dans la plate-forme Google SecOps :

Paramètres SIEM> Flux
Plate-forme de contenu > Packs de contenu

Configurer des flux à partir de Paramètres SIEM > Flux

Vous pouvez utiliser Amazon S3 ou un webhook pour configurer un flux d'ingestion dans Google SecOps, mais nous vous recommandons d'utiliser Amazon S3.

Configurer un flux d'ingestion dans Google SecOps à l'aide d'Amazon S3

Pour configurer plusieurs flux pour différents types de journaux dans cette famille de produits, consultez Configurer des flux par produit.

Pour configurer un seul flux :

Accédez à Paramètres SIEM> Flux.
Cliquez sur Add New Feed (Ajouter un flux).
Sur la page suivante, cliquez sur Configurer un seul flux.
Dans le champ Nom du flux, saisissez un nom pour le flux (par exemple, Journaux Jamf Protect).
Sélectionnez Amazon S3 comme Type de source.
Pour créer un flux pour Jamf Protect, sélectionnez Alertes Jamf Protect comme Type de journal.
Cliquez sur Suivant.
Enregistrez le flux, puis cliquez sur Envoyer.
Copiez l'ID du flux à partir du nom du flux à utiliser dans Jamf Protect.

Configurer un flux d'ingestion dans Google SecOps à l'aide d'un webhook

Pour les clients Google Security Operations Unified uniquement :
Pour configurer plusieurs flux pour différents types de journaux dans cette famille de produits, consultez Configurer plusieurs flux.

Pour tous les clients :
Pour configurer un seul flux, procédez comme suit :

Accédez à Paramètres SIEM> Flux.
Cliquez sur Add New Feed (Ajouter un flux).
Sur la page suivante, cliquez sur Configurer un seul flux. Ignorez cette étape si vous utilisez la plate-forme autonome Google SecOps SIEM.
Dans le champ Nom du flux, saisissez un nom pour le flux (par exemple, Journaux de webhook Jamf Protect).
Dans la liste Type de source, sélectionnez Webhook.
Pour créer un flux pour Jamf Protect, sélectionnez Alertes Jamf Protect comme Type de journal.
Cliquez sur Suivant.
Facultatif : Spécifiez les valeurs des paramètres d'entrée suivants :
- Délimiteur de fractionnement : délimiteur utilisé pour séparer les lignes de journaux, tel que \n.
- Espace de noms de l'élément : espace de noms de l'élément.
- Libellés d'ingestion : libellé à appliquer aux événements de ce flux.
Cliquez sur Suivant.
Vérifiez la configuration de votre nouveau flux sur l'écran Finaliser, puis cliquez sur Envoyer.
Cliquez sur Générer une clé secrète pour générer une clé secrète permettant d'authentifier ce flux.
Copiez et stockez la clé secrète. Vous ne pourrez plus afficher cette clé secrète. Si nécessaire, vous pouvez générer une nouvelle clé secrète, mais l'ancienne deviendra obsolète.
Dans l'onglet Détails, copiez l'URL du point de terminaison du flux à partir du champ Informations sur le point de terminaison. Vous aurez besoin de cette URL HTTPS pour configurer votre application cliente Jamf Protect.
Cliquez sur OK.

Configurer des flux depuis le Hub de contenu

Indiquez les valeurs des champs suivants :

Région : région dans laquelle se trouve le bucket Amazon S3.
URI S3 : URI du bucket.
- s3://your-log-bucket-name/
  - Remplacez your-log-bucket-name par le nom réel de votre bucket S3.
L'URI est : sélectionnez Répertoire ou Répertoire incluant les sous-répertoires, selon la structure de votre bucket.
Options de suppression de la source : sélectionnez l'option de suppression en fonction de vos préférences d'ingestion.
ID de clé d'accès : clé d'accès de l'utilisateur disposant des autorisations de lecture du bucket S3.
Clé d'accès secrète : clé secrète de l'utilisateur avec les autorisations nécessaires pour lire le bucket S3.

Options avancées

Nom du flux : valeur préremplie qui identifie le flux.
Type de source : méthode utilisée pour collecter les journaux dans Google SecOps.
Espace de noms de l'élément : espace de noms associé au flux.
Libellés d'ingestion : libellés appliqués à tous les événements de ce flux.

Créer une clé API pour un flux de webhook

Accédez à la consoleGoogle Cloud > Identifiants.

Accéder à "Identifiants"
Cliquez sur Créer des identifiants, puis sélectionnez Clé API.
Restreignez l'accès à la clé API à l'API Google Security Operations.

Configurer Jamf Protect pour un flux de webhook

Dans l'application Jamf Protect, accédez à la configuration de l'action correspondante.
Pour ajouter un point de terminaison de données, cliquez sur Créer des actions.
Sélectionnez HTTP comme protocole.
Saisissez l'URL HTTPS du point de terminaison de l'API Google Security Operations dans le champ URL. (Il s'agit du champ Informations sur le point de terminaison que vous avez copié lors de la configuration du flux de webhook.) Il est déjà au format requis.)
Activez l'authentification en spécifiant la clé API et la clé secrète dans l'en-tête personnalisé au format suivant :
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
Recommandation : Spécifiez la clé API en tant qu'en-tête au lieu de la spécifier dans l'URL. Si votre client de webhook n'accepte pas les en-têtes personnalisés, vous pouvez spécifier la clé API et la clé secrète à l'aide de paramètres de requête au format suivant :
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Remplacez les éléments suivants :
- ENDPOINT_URL : URL du point de terminaison du flux.
- API_KEY : clé API pour s'authentifier auprès de Google Security Operations.
- SECRET : clé secrète que vous avez générée pour authentifier le flux.
Dans la section Collect Logs (Collecter des journaux), sélectionnez Alerts & Unified Logs (Alertes et journaux unifiés).
Cliquez sur Envoyer.

Pour en savoir plus sur les flux Google Security Operations, consultez la documentation sur les flux Google Security Operations. Pour en savoir plus sur les exigences de chaque type de flux, consultez Configuration des flux par type.

Si vous rencontrez des problèmes lors de la création de flux, contactez l'assistance Google Security Operations.

Types de journaux Jamf Protect compatibles

Le tableau suivant répertorie les types de journaux compatibles avec l'analyseur Jamf Protect :

Type d'événement	Nom à afficher
GPClickEvent	Événements de clic synthétiques
GPDownloadEvent	Événements de téléchargement
GPFSEvent	Événements du système de fichiers
GPGatekeeperEvent	Événements Gatekeeper
GPKeylogRegisterEvent	Événements de l'enregistreur de frappe
GPMRTEvent	Surveiller les événements
GPPreventedExecutionEvent	Événements de la liste de prévention personnalisée
GPProcessEvent	Traiter les événements
GPThreatMatchExecEvent	Événements de prévention des menaces
GPUSBEvent	Événements USB
GPUnifiedLogEvent	Événements de journaux unifiés
Montage authentifié	Événements de contrôle des appareils

Formats de journaux Jamf Protect acceptés

L'analyseur Jamf Protect est compatible avec les journaux au format JSON.

Exemples de journaux Jamf Protect acceptés

JSON

{
  "input": {
    "match": {
      "custom": false,
      "facts": [
        {
          "actions": [
            {
              "name": "CacheFile",
              "parameters": {}
            },
            {
              "name": "Report",
              "parameters": {}
            }
          ],
          "human": "Login Hook created for persistence",
          "context": [
            {
              "name": "ItemBinary",
              "value": "\\/path\\/to\\/suspiciousfile.sh",
              "valueType": "Binary"
            },
            {
              "name": "Itemname",
              "value": "\\/path\\/to\\/suspiciousfile.sh",
              "valueType": "String"
            }
          ],
          "uuid": "dummyuuid",
          "version": 2,
          "severity": 0,
          "tags": [
            "MITREattack",
            "T1037.002",
            "BootOrLogonAutostartExecution",
            "Persistence"
          ],
          "name": "LoginHook"
        }
      ],
      "event": {
        "timestamp": 1676994504.698714,
        "uid": 0,
        "eventID": 9141,
        "prevFile": "\\/private\\/var\\/folders\\/zz\\/zyxvpxvq6csfxvn_n0000000000000\\/T\\/TemporaryItems\\/com.apple.loginwindow.plist.X0YcxtR",
        "iNode": 62898,
        "dev": 16777220,
        "uuid": "AE7F101A-09AA-4CD6-940F-15EC2073E476",
        "path": "\\/var\\/root\\/Library\\/Preferences\\/com.dummy.path.plist",
        "type": 3,
        "gid": 0,
        "pid": 148
      },
      "uuid": "1263F6F0-6891-4105-993F-6889AB3A3555",
      "context": [
        {
          "name": "ItemBinary",
          "value": "\\/path\\/to\\/suspiciousfile.sh",
          "valueType": "Binary"
        },
        {
          "name": "Itemname",
          "value": "\\/path\\/to\\/suspiciousfile.sh",
          "valueType": "String"
        }
      ],
      "severity": 0,
      "tags": [
        "T1037.002",
        "Persistence",
        "BootOrLogonAutostartExecution",
        "MITREattack"
      ],
      "actions": [
        {
          "name": "CacheFile",
          "parameters": {}
        },
        {
          "name": "Report",
          "parameters": {}
        }
      ]
    },
    "host": {
      "ips": [
        "192.51.100.1"
      ],
      "provisioningUDID": "8AD54CA5-F0DC-5434-8147-26D1D8A426CD",
      "hostname": "dummy-hostname",
      "serial": "dummyserial"
    },
    "eventType": "GPFSEvent",
    "related": {
      "users": [
        {
          "uid": 0,
          "name": "root",
          "uuid": "dummyuid"
        }
      ],
      "files": [
        {
          "xattrs": [],
          "sha256hex": "67fc9bde97641361d3b521a01f8b907269a4d6434f2db10e163a71b70178b3d1",
          "modified": 1676985886,
          "uid": 0,
          "changed": 1676985886,
          "sha1hex": "e3bc8f9c241f86e7138ba6cfb0e0e206b131a7e3",
          "isAppBundle": false,
          "isScreenShot": false,
          "path": "\\/var\\/root\\/Library\\/Preferences\\/com.apple.loginwindow.plist",
          "size": 42,
          "gid": 0,
          "inode": 62898,
          "mode": 33152,
          "isDownload": false,
          "created": 1676985886,
          "accessed": 1676985886,
          "fsid": 16777220,
          "signingInfo": {
            "status": -67062,
            "authorities": [],
            "teamid": "",
            "signerType": 4,
            "statusMessage": "code object is not signed at all",
            "entitlements": [],
            "appid": ""
          },
          "isDirectory": false
        }
      ],
      "binaries": [
        {
          "xattrs": [],
          "sha256hex": "9a282c0623110b57953bb74238f02704f729eb9779381eef851b2ebe7626f890",
          "modified": 1675935593,
          "uid": 0,
          "changed": 1675935593,
          "sha1hex": "454634df6b7cd32a4dcca9d346eb3efb34dc780d",
          "isAppBundle": false,
          "isScreenShot": false,
          "path": "\\/usr\\/sbin\\/cfprefsd",
          "size": 200608,
          "gid": 0,
          "inode": 1152921500312430765,
          "mode": 33261,
          "isDownload": false,
          "created": 1675935593,
          "accessed": 1675935593,
          "fsid": 16777220,
          "signingInfo": {
            "status": 0,
            "cdhash": "SXboWMc7MOtMM0K3pOxRjqR59w0=",
            "authorities": [
              "Software Signing",
              "Apple Code Signing Certification Authority",
              "Apple Root CA"
            ],
            "teamid": "",
            "signerType": 0,
            "statusMessage": "No error.",
            "entitlements": [],
            "appid": "com.dummy.domain"
          },
          "isDirectory": false
        }
      ],
      "groups": [
        {
          "gid": 0,
          "name": "wheel",
          "uuid": "FVFZQ5FDLYWG0"
        }
      ],
      "processes": [
        {
          "originalParentPID": 1,
          "uuid": "06D1425D-082A-4E11-81E4-75A9E3F2B8EF",
          "ruid": 0,
          "uid": 0,
          "startTimestamp": 1676976036,
          "ppid": 1,
          "path": "\\/usr\\/sbin\\/cfprefsd",
          "gid": 0,
          "rgid": 0,
          "args": [
            "\\/usr\\/sbin\\/cfprefsd",
            "daemon"
          ],
          "signingInfo": {
            "status": 0,
            "cdhash": "SXboWMc7MOtMM0K3pOxRjqR59w0=",
            "authorities": [
              "Software Signing",
              "Apple Code Signing Certification Authority",
              "Apple Root CA"
            ],
            "teamid": "",
            "signerType": 0,
            "statusMessage": "No error.",
            "entitlements": [],
            "appid": "com.dummy.domain"
          },
          "pid": 148,
          "name": "dummyhostname",
          "pgid": 148
        }
      ]
    }
  },
  "caid": "a2afe04d1360c01a0758ad3319c9af305f794801917b0c04648e4d7a9d7d746b",
  "certid": "05f5b0fa822a2f5e9a29f018853e8f2d99b94c8af38f40268a9479f2e6038e6b"
}

Référence du mappage de champs

Cette section explique comment l'analyseur Google Security Operations mappe les champs Jamf Protect aux champs du modèle de données unifié (UDM) Google Security Operations.

Référence du mappage des champs : identifiant d'événement vers type d'événement

Le tableau suivant liste les types de journaux JAMF_PROTECT et les types d'événements UDM correspondants.

Event Identifier	Event Type
`GPClickEvent`	`SCAN_UNCATEGORIZED`
`GPDownloadEvent`	`SCAN_FILE`
`GPFSEvent`	`SCAN_FILE`
`GPGatekeeperEvent`	`SCAN_UNCATEGORIZED`
`GPKeylogRegisterEvent`	`SCAN_UNCATEGORIZED`
`GPMRTEvent`	`SCAN_UNCATEGORIZED`
`GPPreventedExecutionEvent`	`SCAN_UNCATEGORIZED`
`GPProcessEvent`	`SCAN_PROCESS`
`GPThreatMatchExecEvent`	`SCAN_UNCATEGORIZED`
`GPUSBEvent`	`SCAN_UNCATEGORIZED`
`GPUnifiedLogEvent`	`SCAN_UNCATEGORIZED`
`GPScreenshotEvent`	`SCAN_UNCATEGORIZED`
`Auth-mount`	`SCAN_UNCATEGORIZED`

Référence du mappage de champ : JAMF_PROTECT

Le tableau suivant liste les champs de journaux du type de journal JAMF_PROTECT et les champs UDM correspondants.

Log field	UDM mapping	Logic
	`about.platform`	The `about.platform` UDM field is set to `MAC`.
`caid`	`about.labels[caid]` (deprecated)
`caid`	`additional.fields[caid]`
`certid`	`principal.asset.attribute.labels [certid]`
`context.identity.claims.certid`	`principal.user.attribute.permissions.description`
`context.identity.claims.clientid`	`principal.user.attribute.labels [context_identity_claims_clientid]`
`input.eventType`	`metadata.product_event_type`
`input.host.hostname`	`principal.hostname`
`input.host.ips`	`principal.ip`
`input.host.os`	`principal.platform_version`
`input.host.protectVersion`	`principal.asset.attribute.labels [input_host_protectversion]`
`input.match.version`	`additional.fields [input_match_version]`
`input.match.facts.matchReason`	`security_result.detection_fields [input_match_facts_matchreason]`
`input.related.files.objectType`	`additional.fields [input_related_files_objecttype]`
`input.host.provisioningUDID`	`principal.asset.product_object_id`
`input.host.serial`	`principal.asset.hardware.serial_number`
`input.match.actions.name`	`security_result.outcomes [input_match_actions_name]`
`input.match.actions.parameters.message`	`security_result.summary`	If the `index` value is equal to `0`, then the `input.match.actions.parameters.message` log field is mapped to the `security_result.summary` UDM field. Else, the `input.match.actions.parameters.message` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.actions.parameters.title`	`security_result.description`	If the `index` value is equal to `0`, then the `input.match.actions.parameters.title` log field is mapped to the `security_result.description` UDM field. Else, the `input.match.actions.parameters.title` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.context.name`	`security_result.detection_fields.key`
`input.match.context.value`	`security_result.detection_fields.value [Name]`
`input.match.context.valueType`
`input.match.custom`	`security_result.detection_fields [input_match_custom]`
`input.match.event.blocked`	`security_result.action`	If the `input.match.event.blocked` log field value is not empty, then the `security_result.action` UDM field is set to `BLOCK`.
`context.identity.claims.hd, input.match.uuid`	`security_result.url_back_to_product`	The `security_result.url_back_to_product` UDM field is set to `https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid`.
`input.match.event.category`	`security_result.category_details`
`input.match.event.clickType`	`principal.labels[input_match_event_click_type]` (deprecated)	If the `input.match.event.clickType` log field value is equal to `0`, then the `principal.labels.value` UDM field is set to `0 - Other`. Else, if the `input.match.event.clickType` log field value is equal to `1`, then the `principal.labels.value` UDM field is set to `1 - Left Down`. Else, if the `input.match.event.clickType` log field value is equal to `2`, then the `principal.labels.value` UDM field is set to `2 - Left Up`. Else, if the `input.match.event.clickType` log field value is equal to `3`, then the `principal.labels.value` UDM field is set to `3 - Right Down`. Else, if the `input.match.event.clickType` log field value is equal to `4`, then the `principal.labels.value` UDM field is set to `4 - Right Up`.
`input.match.event.clickType`	`additional.fields[input_match_event_click_type]`	If the `input.match.event.clickType` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - Other`. Else, if the `input.match.event.clickType` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Left Down`. Else, if the `input.match.event.clickType` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `2 - Left Up`. Else, if the `input.match.event.clickType` log field value is equal to `3`, then the `additional.fields.value.string_value` UDM field is set to `3 - Right Down`. Else, if the `input.match.event.clickType` log field value is equal to `4`, then the `additional.fields.value.string_value` UDM field is set to `4 - Right Up`.
`input.match.event.composedMessage`	`principal.labels[input_match_event_composed_message]` (deprecated)
`input.match.event.composedMessage`	`additional.fields[input_match_event_composed_message]`
`input.match.event.dev`	`principal.labels[input_match_event_dev]` (deprecated)
`input.match.event.dev`	`additional.fields[input_match_event_dev]`
`input.match.event.eventID`	`principal.labels[input_match_event_eventID]` (deprecated)
`input.match.event.eventID`	`additional.fields[input_match_event_eventID]`
`input.match.event.gid`	`principal.user.group_identifiers`
`input.match.event.iNode`	`target.file.stat_inode`
`input.match.event.matchType`	`principal.labels[input_match_event_match_type]` (deprecated)
`input.match.event.matchType`	`additional.fields[input_match_event_match_type]`
`input.match.event.matchValue`	`security_result.threat_name`	If the `input.match.event.matchType` log field value is not empty, then the `input.match.event.matchValue` log field is mapped to the `security_result.threat_name` UDM field.
`input.match.event.name`	`about.labels[input_match_event_name]` (deprecated)
`input.match.event.name`	`additional.fields[input_match_event_name]`
`input.match.facts.name`	`metadata.description`	If the `index` value is equal to `0`, then the `input.match.facts.name` log field is mapped to the `metadata.description` UDM field.
`input.match.event.path`	`target.process.file.full_path`
`input.match.event.pid`	`principal.process.pid`
`input.match.event.prevFile`	`src.file.full_path`	If the `input.match.event.prevFile` log field value is not empty, then the `input.match.event.prevFile` log field is mapped to the `src.file.full_path` UDM field.
`input.match.event.process`	`principal.process.file.names`
`input.match.event.process.args`	`target.process.command_line_history`
`input.match.event.process.gid`	`target.group.product_object_id`
`input.match.event.process.name`	`target.process.file.names`
`input.match.event.process.originalParentPID`	`target.process.parent_process.pid`
`input.match.event.process.path`	`target.process.file.full_path`
`input.match.event.process.pgid`	`target.labels[input_match_event_processes_pgid]` (deprecated)
`input.match.event.process.pgid`	`additional.fields[input_match_event_processes_pgid]`
`input.match.event.process.pid`	`target.process.pid`
`input.match.event.process.ppid`	`target.labels[input_match_event_process_ppid]` (deprecated)
`input.match.event.process.ppid`	`additional.fields[input_match_event_process_ppid]`
`input.match.event.process.responsiblePID`	`target.labels[input_match_event_process_responsible_pid]` (deprecated)
`input.match.event.process.responsiblePID`	`additional.fields[input_match_event_process_responsible_pid]`
`input.match.event.process.rgid`	`target.labels[input_match_event_process_rgid]` (deprecated)
`input.match.event.process.rgid`	`additional.fields[input_match_event_process_rgid]`
`input.match.event.process.ruid`	`target.labels[input_match_event_process_ruid]` (deprecated)
`input.match.event.process.ruid`	`additional.fields[input_match_event_process_ruid]`
`input.match.event.process.signingInfo.appid`	`target.user.attribute.labels [input_match_event_process_sign_appid]`
`input.match.event.process.signingInfo.authorities`	`target.user.attribute.permissions`
`input.match.event.process.signingInfo.cdhash`	`target.user.attribute.labels [input_match_event_process_sign_cdhash]`
`input.match.event.process.signingInfo.entitlements`	`target.user.attributes.permissions`
`input.match.event.process.signingInfo.signerType`	`target.user.attribute.labels [input_match_event_process_sign_signer_type]`	If the `input.related.process.signingInfo.signerType` log field value is equal to `0`, then the `target.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `1`, then the `target.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `2`, then the `target.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `3`, then the `target.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `4`, then the `target.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.match.event.process.signingInfo.status`	`target.user.attribute.labels [input_match_event_process_sign_status]`
`input.match.event.process.signingInfo.statusMessage`	`target.labels[input_match_event_process_sign_status_message]` (deprecated)
`input.match.event.process.signingInfo.statusMessage`	`additional.fields[input_match_event_process_sign_status_message]`
`input.match.event.process.signingInfo.teamid`	`target.user.group_identifiers`
`input.match.event.process.startTimestamp`	`target.labels[input_match_event_process_start_time_stamp]` (deprecated)
`input.match.event.process.startTimestamp`	`additional.fields[input_match_event_process_start_time_stamp]`
`input.match.event.process.uid`	`target.labels[input_match_event_process_uid]` (deprecated)
`input.match.event.process.uid`	`additional.fields[input_match_event_process_uid]`
`input.match.event.process.uuid`	`target.process.product_specific_process_id`	The `Process Uuid: input.match.event.process.uuid` log field is mapped to the `target.process.product_specific_process_id` UDM field.
`input.match.event.processIdentifier`	`target.process.pid`
`input.match.event.processImagePath`	`target.process.file.full_path`
`input.match.event.rateLimitingSecs`	`principal.labels[input_match_event_rate_limiting_secs]` (deprecated)
`input.match.event.rateLimitingSecs`	`additional.fields[input_match_event_rate_limiting_secs]`
`input.match.event.scriptPath`	`principal.labels[input_match_event_script_path]` (deprecated)
`input.match.event.scriptPath`	`additional.fields[input_match_event_script_path]`
`input.match.event.sender`	`principal.labels[input_match_event_sender]` (deprecated)
`input.match.event.sender`	`additional.fields[input_match_event_sender]`
`input.match.event.senderImagePath`	`principal.labels[input_match_event_sender_image_path]` (deprecated)
`input.match.event.senderImagePath`	`additional.fields[input_match_event_sender_image_path]`
`input.match.event.subsystem`	`principal.labels[input_match_event_subsystem]` (deprecated)
`input.match.event.subsystem`	`additional.fields[input_match_event_subsystem]`
`input.match.event.subType`	`principal.labels[input_match_event_sub_type]` (deprecated)	If the `input.match.event.subType` log field value is equal to `7`, then the `principal.labels.value` UDM field is set to `7 - Exec`. Else, if the `input.match.event.subType` log field value is equal to `2`, then the `principal.labels.value` UDM field is set to `2 - Fork`. Else, if the `input.match.event.subType` log field value is equal to `1`, then the `principal.labels.value` UDM field is set to `1 - Exit`. Else, if the `input.match.event.subType` log field value is equal to `23`, then the `principal.labels.value` UDM field is set to `23 - Execve`. Else, if the `input.match.event.subType` log field value is equal to `43190`, then the `principal.labels.value` UDM field is set to `43190 - Posix Spawn`.
`input.match.event.subType`	`additional.fields[input_match_event_sub_type]`	If the `input.match.event.subType` log field value is equal to `7`, then the `additional.fields.value.string_value` UDM field is set to `7 - Exec`. Else, if the `input.match.event.subType` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `2 - Fork`. Else, if the `input.match.event.subType` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Exit`. Else, if the `input.match.event.subType` log field value is equal to `23`, then the `additional.fields.value.string_value` UDM field is set to `23 - Execve`. Else, if the `input.match.event.subType` log field value is equal to `43190`, then the `additional.fields.value.string_value` UDM field is set to `43190 - Posix Spawn`.
`input.match.event.tags`	`security_result.rule_labels [input_match_event_tags]`
`input.match.event.targetpid`	`target.process.pid`
`input.match.event.timestamp`	`metadata.event_timestamp`
`input.match.event.type`	`target.labels[input_match_event_type]` (deprecated)	If the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `0`, then the `target.labels.value` UDM field is set to `0 - Created`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `1`, then the `target.labels.value` UDM field is set to `1 - Deleted`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `3`, then the `target.labels.value` UDM field is set to `3 - Renamed`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `4`, then the `target.labels.value` UDM field is set to `4 - Modified`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `7`, then the `target.labels.value` UDM field is set to `7 - Created Dir`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `0`, then the `target.labels.value` UDM field is set to `0 - None`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `1`, then the `target.labels.value` UDM field is set to `1 - Create`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `2`, then the `target.labels.value` UDM field is set to `0 - Exit`.
`input.match.event.type`	`additional.fields[input_match_event_type]`	If the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - Created`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Deleted`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `3`, then the `additional.fields.value.string_value` UDM field is set to `3 - Renamed`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `4`, then the `additional.fields.value.string_value` UDM field is set to `4 - Modified`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `7`, then the `additional.fields.value.string_value` UDM field is set to `7 - Created Dir`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - None`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Create`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `0 - Exit`.
`input.match.event.uid`	`principal.user.userid`
`input.match.event.uuid`	`about.labels[input_match_event_uuid]` (deprecated)
`input.match.event.uuid`	`additional.fields[input_match_event_uuid]`
`input.match.facts.actions.name`	`security_result.action_details`	If the `index` value is equal to `0`, then the `input.match.facts.actions.name` log field is mapped to the `security_result.action_details` UDM field. Else, the `input.match.facts.actions.name` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.match.facts.actions.parameters.id`	`security_result.detection_fields [input_match_facts_actions_parameters_id]`
`input.match.facts.actions.parameters.message`	`security_result.detection_fields [input_match_facts_actions_parameters_message]`
`input.match.facts.actions.parameters.title`	`security_result.detection_fields [input_match_facts_actions_parameters_title]`
`input.match.facts.context.name`	`security_result.detection_fields.key`
`input.match.facts.context.value`	`security_result.detection_fields.value [Name]`
`input.match.facts.context.valueType`
`input.match.facts.human`	`security_result.action`	If the `input.match.facts.human` log field value is matched with regex `(?i)blocked`, then the `security_result.action` UDM field is set to `BLOCK`.
`input.match.facts.human`	`security_result.description`	If the `index` value is equal to `0`, then the `input.match.facts.human` log field is mapped to the `security_result.description` UDM field. Else, the `input.match.facts.human` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.facts.name`	`security_result.summary`	If the `index` value is equal to `0`, then the `input.match.facts.name` log field is mapped to the `security_result.summary` UDM field. Else, the `input.match.facts.name` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.facts.severity`	`security_result.detection_fields [input_match_facts_severity]`
`input.match.facts.tags`	`security_result.rule_labels [input_match_facts_tags]`
`input.match.facts.uuid`	`about.labels [input_match_facts_uuid]`
`input.match.facts.version`	`about.labels [input_match_facts_version]`
`input.match.severity`	`security_result.severity`	If the `severity` log field value is equal to `0`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, if the `severity` log field value is equal to `1`, then the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value is equal to `2`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value is equal to `3`, then the `security_result.severity` UDM field is set to `HIGH`.
`input.match.tags`	`security_result.rule_labels [input_match_tags]`
`input.match.uuid`	`metadata.product_log_id`
`input.related.binaries.accessed`	`security_result.about.labels [input_related_binaries_accessed]`
`input.related.binaries.changed`	`security_result.about.labels [input_related_binaries_changed]`
`input.related.binaries.created`	`security_result.about.file.first_seen_time`	If the `index` value is equal to `0`, then the `input.related.binaries.created` log field is mapped to the `security_result.about.file.first_seen_time` UDM field. Else, the `input.related.binaries.created` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.fsid`	`security_result.about.labels [input_related_binaries_fsid]`
`input.related.binaries.gid`	`security_result.about.labels [input_related_binaries_gid]`
`input.related.binaries.inode`	`security_result.about.file.stat_inode`	If the `index` value is equal to `0`, then the `input.related.binaries.inode` log field is mapped to the `security_result.about.file.stat_inode` UDM field. Else, the `input.related.binaries.inode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.isAppBundle`	`security_result.about.labels [isAppBundle]`
`input.related.binaries.isDirectory`	`security_result.about.labels [isDirectory]`
`input.related.binaries.isDownload`	`security_result.about.labels [isDownload]`
`input.related.binaries.isScreenShot`	`security_result.about.labels [isScreenShot]`
`input.related.binaries.mode`	`security_result.about.file.stat_mode`	If the `index` value is equal to `0`, then the `input.related.binaries.mode` log field is mapped to the `security_result.about.file.stat_mode` UDM field. Else, the `input.related.binaries.mode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.modified`	`security_result.about.file.last_modification_time`	If the `index` value is equal to `0`, then the `input.related.binaries.modified` log field is mapped to the `security_result.about.file.last_modification_time` UDM field. Else, the `input.related.binaries.modified` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.path`	`security_result.about.file.full_path`	If the `index` value is equal to `0`, then the `input.related.binaries.path` log field is mapped to the `security_result.about.file.full_path` UDM field. Else, the `input.related.binaries.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.sha1hex`	`security_result.about.file.sha1`	If the `index` value is equal to `0`, then the `input.related.binaries.sha1hex` log field is mapped to the `security_result.about.file.sha1` UDM field. Else, the `input.related.binaries.sha1hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.sha256hex`	`security_result.about.file.sha256`	If the `index` value is equal to `0`, then the `input.related.binaries.sha256hex` log field is mapped to the `security_result.about.file.sha256` UDM field. Else, the `input.related.binaries.sha256hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.binaries.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.binaries.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.signingInfo.authorities`	`security_result.about.user.attribute.permissions`
`input.related.binaries.signingInfo.cdhash`	`security_result.about.labels [input_related_binaries_sign_cdhash]`
`input.related.binaries.signingInfo.entitlements`	`security_result.about.user.attribute.permisisons`
`input.related.binaries.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type]`	If the `input.related.binaries.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.binaries.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_binaries_sign_status]`
`input.related.binaries.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_processes_sign_status_message]`
`input.related.binaries.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.binaries.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.binaries.signingInfo.teamid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.binaries.size`	`security_result.about.file.size`	If the `index` value is equal to `0`, then the `input.related.binaries.size` log field is mapped to the `security_result.about.file.size` UDM field. Else, the `input.related.binaries.size` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.binaries.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.binaries.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.binaries.xattrs`	`security_result.about.user.attribute.labels [input_related_binaries_xattrs]`
`input.related.files.accessed`	`security_result.about.labels [input_related_files_accessed]`
`input.related.files.changed`	`security_result.about.labels [input_related_files_changed]`
`input.related.files.created`	`security_result.about.labels [input_related_files_created]`
`input.related.files.downloadedFrom`	`security_result.about.labels [input_related_files_downloaded_from]`
`input.related.files.fsid`	`security_result.about.labels [input_related_files_downloaded_fsid]`
`input.related.files.gid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.files.gid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.files.gid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.inode`	`security_result.about.file.stat_inode`	If the `index` value is equal to `0`, then the `input.related.files.inode` log field is mapped to the `security_result.about.file.stat_inode` UDM field. Else, the `input.related.files.inode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.isAppBundle`	`security_result.about.labels [input_related_files_downloaded_is_app_bundle]`
`input.related.files.isDirectory`	`security_result.about.labels [input_related_files_is_directory]`
`input.related.files.isDownload`	`security_result.about.labels [input_related_files_is_download]`
`input.related.files.isScreenShot`	`security_result.about.labels [input_related_files_is_screenshot]`
`input.related.files.mode`	`security_result.about.file.stat_mode`	If the `index` value is equal to `0`, then the `input.related.files.mode` log field is mapped to the `security_result.about.file.stat_mode` UDM field. Else, the `input.related.files.mode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.modified`	`security_result.about.file.last_modification_time`	If the `index` value is equal to `0`, then the `input.related.files.modified` log field is mapped to the `security_result.about.file.last_modification_time` UDM field. Else, the `input.related.files.modified` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.path`	`security_result.about.file.full_path`	If the `index` value is equal to `0`, then the `input.related.files.path` log field is mapped to the `security_result.about.file.full_path` UDM field. Else, the `input.related.files.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.sha1hex`	`security_result.about.file.sha1`	If the `index` value is equal to `0`, then the `input.related.files.sha1hex` log field is mapped to the `security_result.about.file.sha1` UDM field. Else, the `input.related.files.sha1hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.sha256hex`	`security_result.about.file.sha256`	If the `index` value is equal to `0`, then the `input.related.files.sha256hex` log field is mapped to the `security_result.about.file.sha256` UDM field. Else, the `input.related.files.sha256hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.files.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.files.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.signingInfo.authorities`	`security_result.about.user.attribute.permissions`
`input.related.files.signingInfo.cdhash`	`security_result.about.labels [[input_related_files_sign_cdhash]`
`input.related.files.signingInfo.entitlements`	`security_result.about.user.attribute.permissions`
`input.related.files.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type]`	If the `input.related.files.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.files.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_files_signing_info_status]`
`input.related.files.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_files_signing_info_status_message]`
`input.related.files.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.files.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.files.signingInfo.teamid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.files.size`	`security_result.about.file.size`	If the `index` value is equal to `0`, then if the `input.related.files.size` log field value is not equal to `0`, then the `input.related.files.size` log field is mapped to the `security_result.about.file.size` UDM field. Else, the `input.related.files.size` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.files.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.files.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.files.xattrs`	`security_result.about.labels [input_related_files_xattrs]`
`input.related.groups.gid`	`security_result.about.group.attribute.labels [input_related_groups_gid]`
`input.related.groups.name`	`security_result.about.group.group_display_name`	If the `index` value is equal to `0`, then the `input.related.groups.name` log field is mapped to the `security_result.about.group.group_display_name` UDM field. Else, the `input.related.groups.name` log field is mapped to the `security_result.about.group.attribute.labels.value` UDM field.
`input.related.groups.uuid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.groups.uuid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.groups.uuid` log field is mapped to the `security_result.about.group.attribute.labels.value` UDM field.
`input.related.processes.appPath`	`security_result.about.labels [input_related_processes_app_path]`
`input.related.processes.args`	`security_result.about.process.command_line_history`
`input.related.processes.exitCode`	`security_result.about.labels [input_related_processes_exit_code]`
`input.related.processes.gid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.processes.gid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.processes.gid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.name`	`security_result.about.process.file.names`
`input.related.processes.originalParentPID`	`security_result.about.process.parent_process.pid`	If the `index` value is equal to `0`, then the `input.related.processes.originalParentPID` log field is mapped to the `security_result.about.process.parent_process.pid` UDM field. Else, the `input.related.processes.originalParentPID` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.path`	`security_result.about.process.file.full_path`	If the `index` value is equal to `0`, then the `input.related.processes.path` log field is mapped to the `security_result.about.process.file.full_path` UDM field. Else, the `input.related.processes.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.pgid`	`security_result.about.labels [input_related_process_pgid]`
`input.related.processes.pid`	`security_result.about.process.pid`	If the `index` value is equal to `0`, then the `input.related.processes.pid` log field is mapped to the `security_result.about.process.pid` UDM field. Else, the `input.related.processes.pid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.ppid`	`security_result.about.labels [input_related_processes_ppid]`
`input.related.processes.responsiblePID`	`security_result.about.labels [input_related_processes_responsible_pid]`
`input.related.processes.rgid`	`security_result.about.labels [input_related_processes_rgid]`
`input.related.processes.ruid`	`security_result.about.labels [input_related_processes_ruid]`
`input.related.processes.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.processes.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.processes.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.signingInfo.authorities`	`security_result.about.user.attributes.permission`
`input.related.processes.signingInfo.cdhash`	`security_result.about.user.attribute.labels [input_related_processes_sign_cdhash]`
`input.related.processes.signingInfo.entitlements`	`security_result.about.user.attributes.permission`
`input.related.processes.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_processes_sign_signer_type]`	If the `input.related.processes.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.processes .signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.processes.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_processes_sign_status]`
`input.related.processes.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_processes_sign_status_message]`
`input.related.processes.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.processes.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.processes.signingInfo.teamid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.startTimestamp`	`security_result.about.labels [input_related_processes_start_time_stamp]`
`input.related.processes.tty`	`security_result.about.labels [input_related_processes_tty]`
`input.related.processes.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.processes.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.processes.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.processes.uuid`	`security_result.about.process.product_specific_process_id`	If the `index` value is equal to `0`, then the `Process Uuid: input.related.processes.uuid` log field is mapped to the `security_result.about.process.product_specific_process_id` UDM field. Else, the `input.related.processes.uuid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.users.name`	`security_result.about.user.user_display_name`	If the `index` value is equal to `0`, then the `input.related.users.name` log field is mapped to the `security_result.about.user.user_display_name` UDM field. Else, the `input.related.users.name` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.users.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.users.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.users.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.users.uuid`	`security_result.about.user.product_object_id`	If the `index` value is equal to `0`, then the `input.related.users.uuid` log field is mapped to the `security_result.about.user.product_object_id` UDM field. Else, the `input.related.users.uuid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`key`	`about.labels[key]` (deprecated)
`key`	`additional.fields[key]`
`path`	`target.file.full_path`	If the `index` value is equal to `0`, then the `path` log field is mapped to the `target.file.full_path` UDM field. Else, the `path` log field is mapped to the `target.labels.value` UDM field.
`queue`	`principal.labels[queue]` (deprecated)
`queue`	`additional.fields[queue]`
`region`	`principal.location.name`
`timestamp`	`metadata.creation_timestamp`
`topic`	`about.labels[topic]` (deprecated)
`topic`	`additional.fields[topic]`
`topicType`	`about.labels[topicType]` (deprecated)
`topicType`	`additional.fields[topicType]`
`version`	`metadata.product_version`
	`is_alert`	The `is_alert` UDM field is set to `TRUE`.
	`is_significant`	The `is_significant` UDM field is set to `TRUE`.
`input.eventType`	`metadata.event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `JAMF_PROTECT`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `JAMF`.
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `STORAGE_BUCKET`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `STORAGE_BUCKET`.
`input.match.event.options`	`about.labels[input_match_event_options]` (deprecated)
`input.match.event.options`	`additional.fields[input_match_event_options]`
`input.match.event.sourcePID`	`principal.process.pid`
`input.match.event.destinationPID`	`target.process.pid`
`image.match.event.detection`	`security_result.detection_fields [image_match_event_detection]`
`input.match.type`	`target.asset.attribute.labels [input_match_type]`	If the `input.match.type` log field value is equal to `0`, then the `target.asset.attribute.labels.value` UDM field is set to `0 - Device Inserted`. Else, if the `input.match.type` log field value is equal to `1`, then the `target.asset.attribute.labels.value` UDM field is set to `1 - Device Removed`.
`input.match.usbAddress`	`target.asset.attribute.labels [input_match_usb_address]`
`input.match.event.device.mediaPath`	`target.asset.attribute.labels [input_match_device_media_path]`
`input.match.event.device.protocol`	`target.asset.attribute.labels [input_match_device_protocol]`
`input.match.event.device.deviceModel`	`target.asset.hardware.model`
`input.match.event.device.isRemovable`	`target.asset.attribute.labels [input_match_device_is_removable]`
`input.match.event.device.mediaName`	`target.asset.attribute.labels [input_match_device_media_name]`
`input.match.event.device.bsdMinor`	`target.asset.attribute.labels [input_match_device_bsd_minor]`
`input.match.event.device.vendorName`	`target.asset.software.vendor_name`
`input.match.event.device.isWhole`	`target.asset.attribute.labels [input_match_device_is_whole]`
`input.match.event.device.unit`	`target.asset.attribute.labels [input_match_device_unit]`
`input.match.event.device.deviceSubclass`	`target.asset.attribute.labels [input_match_device_subclass]`
`input.match.event.device.serialNumber`	`target.asset.hardware.serial`
`input.match.event.device.bsdUnit`	`target.asset.attribute.labels [input_match_device_bsd_unit]`
`input.match.event.device.busPath`	`target.asset.attribute.labels [input_match_device_bus_path]`
`input.match.event.device.isLeaf`	`target.asset.attribute.labels [input_match_device_is_leaf]`
`input.match.event.device.isInternal`	`target.asset.attribute.labels [input_match_device_is_internal]`
`input.match.event.device.busName`	`target.asset.attribute.labels [input_match_device_bus_name]`
`input.match.event.device.bsdMajor`	`target.asset.attribute.labels [input_match_device_bsd_major]`
`input.match.event.device.isEjectable`	`target.asset.attribute.labels [input_match_device_is_ejectable]`
`input.match.event.device.isEncrypted`	`target.asset.attribute.labels [input_match_device_is_encrypted]`
`input.match.event.device.isEncryptable`	`target.asset.attribute.labels [input_match_device_is_encryptable]`
`input.match.event.device.devicePath`	`target.asset.attribute.labels [input_match_device_path]`
`input.match.event.device.bsdName`	`target.asset.attribute.labels [input_match_device_bsd_name]`
`input.match.event.device.vendorId`	`target.asset.attribute.labels [input_match_device_vendor_id]`
`input.match.event.device.content`	`target.asset.attribute.labels [input_match_device_content]`
`input.match.event.device.revision`	`target.asset.attribute.labels [input_match_device_revision]`
`input.match.event.device.size`	`target.asset.attribute.labels [input_match_device_size]`
`input.match.event.device.isNetworkVolume`	`target.asset.attribute.labels [input_match_device_is_network_volume]`
`input.match.event.device.blocksize`	`target.asset.attribute.labels [input_match_device_block_size]`
`input.match.event.device.productName`	`target.asset.attribute.labels [input_match_device_product_name]`
`input.match.event.device.mediaKind`	`target.asset.attribute.labels [input_match_device_media_kind]`
`input.match.event.device.isWritable`	`target.asset.attribute.labels [input_match_device_is_writable]`
`input.match.event.device.productId`	`target.asset.product_object_id`
`input.match.event.device.productId`	`target.asset.asset_id`	The `Asset Id: input.match.event.device.productId` log field is mapped to the `target.asset.asset_id` UDM field.
`input.match.event.device.deviceClass`	`target.asset.category`
`input.match.event.device.encryptionDetail`	`target.asset.attribute.labels [input_match_device_encryption_detail]`
`input.match.event.device.volumeKind`	`target.asset.attribute.labels [input_match_event_device_volume_kind]`
`input.match.event.device.volumeName`	`target.asset.attribute.labels [input_match_event_device_volume_name]`
`input.match.event.device.volumeType`	`target.asset.attribute.labels [input_match_event_device_volume_type]`
`input.match.event.device.isMountable`	`target.asset.attribute.labels [input_match_event_device_is_mountable]`
`input.match.event.device.encryptionDetail`	`target.asset.attribute.labels [input_match_event_device_encryption_detail]`
`input.match.event.fsid`	`principal.labels [input_match_event_fsid]`
`input.match.event.bfree`	`principal.labels[input_match_event_bfree]` (deprecated)
`input.match.event.bfree`	`additional.fields[input_match_event_bfree]`
`input.match.event.bsize`	`principal.labels[input_match_event_bsize]` (deprecated)
`input.match.event.bsize`	`additional.fields[input_match_event_bsize]`
`input.match.event.ffree`	`principal.labels[input_match_event_ffree]` (deprecated)
`input.match.event.ffree`	`additional.fields[input_match_event_ffree]`
`input.match.event.files`	`principal.labels[input_match_event_files]` (deprecated)
`input.match.event.files`	`additional.fields[input_match_event_files]`
`input.match.event.flags`	`principal.labels[input_match_event_flags]` (deprecated)
`input.match.event.flags`	`additional.fields[input_match_event_flags]`
`input.match.event.owner`	`principal.user.user_display_name`
`input.match.event.bavail`	`principal.labels[input_match_event_bvail]` (deprecated)
`input.match.event.bavail`	`additional.fields[input_match_event_bvail]`
`input.match.event.blocks`	`principal.labels[input_match_event_blocks]` (deprecated)
`input.match.event.blocks`	`additional.fields[input_match_event_blocks]`
`input.match.event.iosize`	`principal.labels[input_match_event_iosize]` (deprecated)
`input.match.event.iosize`	`additional.fields[input_match_event_iosize]`
`input.match.event.version`	`principal.labels[input_match_event_version]` (deprecated)
`input.match.event.version`	`additional.fields[input_match_event_version]`
`input.match.event.deadline`	`principal.labels[input_match_event_deadline]` (deprecated)
`input.match.event.deadline`	`additional.fields[input_match_event_deadline]`
`input.match.event.flagsExt`	`principal.labels[input_match_event_flags_ext]` (deprecated)
`input.match.event.flagsExt`	`additional.fields[input_match_event_flags_ext]`
`input.match.event.fsSubType`	`principal.labels[input_match_event_fs_subtype]` (deprecated)
`input.match.event.fsSubType`	`additional.fields[input_match_event_fs_subtype]`
`input.match.event.mntOnName`	`principal.labels[input_match_event_mnt_on_name]` (deprecated)
`input.match.event.mntOnName`	`additional.fields[input_match_event_mnt_on_name]`
`input.match.event.fsTypeName`	`principal.labels[input_match_event_fs_type_name]` (deprecated)
`input.match.event.fsTypeName`	`additional.fields[input_match_event_fs_type_name]`
`input.match.event.isReadOnly`	`principal.labels[input_match_event_is_read_only]` (deprecated)
`input.match.event.isReadOnly`	`additional.fields[input_match_event_is_read_only]`
`input.match.event.mntFromName`	`principal.labels[input_match_event_mnt_from_name]` (deprecated)
`input.match.event.mntFromName`	`additional.fields[input_match_event_mnt_from_name]`
`input.match.event.machTimestamp`	`principal.labels[input_match_event_mach_timestamp]` (deprecated)
`input.match.event.machTimestamp`	`additional.fields[input_match_event_mach_timestamp]`
`input.match.event.sequenceNumber`	`principal.labels[input_match_event_seq_number]` (deprecated)
`input.match.event.sequenceNumber`	`additional.fields[input_match_event_seq_number]`
`input.match.event.globalSequenceNumber`	`principal.labels[input_match_event_global_seq_number]` (deprecated)
`input.match.event.globalSequenceNumber`	`additional.fields[input_match_event_global_seq_number]`

Étapes suivantes

Ingestion de données dans Google Security Operations

Vous avez encore besoin d'aide ? Obtenez des réponses de membres de la communauté et de professionnels Google SecOps.