Esta página foi traduzida pela API Cloud Translation.

Recolha registos do Jamf Protect

Compatível com:

Google secops SIEM

Este documento descreve como pode recolher registos do Jamf Protect configurando um feed do Google Security Operations e como os campos de registo são mapeados para os campos do modelo de dados unificado (UDM) do Google Security Operations. Este documento também indica a versão do Jamf Protect suportada.

Para mais informações, consulte o artigo Ingestão de dados no Google Security Operations.

Uma implementação típica consiste no Jamf Protect e no feed do Google Security Operations configurados para enviar registos para o Google Security Operations. Cada implementação do cliente pode ser diferente e mais complexa.

A implementação contém os seguintes componentes:

Jamf Protect. A plataforma Jamf Protect a partir da qual recolhe registos.
Feed do Google Security Operations. O feed do Google Security Operations que obtém registos do Jamf Protect e escreve registos no Google Security Operations.
Google Security Operations. O Google Security Operations retém e analisa os registos do Jamf Protect.

Uma etiqueta de carregamento identifica o analisador que normaliza os dados de registo não processados para o formato UDM estruturado. As informações neste documento aplicam-se ao analisador com a etiqueta de carregamento JAMF_PROTECT.

Antes de começar

Certifique-se de que cumpre os seguintes pré-requisitos:

Uma configuração do Jamf Protect
Jamf Protect versão 4.0.0 ou posterior
Todos os sistemas na arquitetura de implementação estão configurados com o fuso horário UTC.

Configure feeds

Pode usar o Amazon S3 ou um webhook para configurar um feed de carregamento no Google SecOps.

Para configurar este tipo de registo, siga estes passos:

Aceda a Definições do SIEM > Feeds.
Clique em Adicionar novo feed.
Clique no pacote de feeds JAMF.
Especifique os valores para os seguintes campos:
- Tipo de origem: webhook (recomendado)
- Delimitador de divisão: o delimitador usado para separar linhas de registo, como \n.

Opções avançadas

Nome do feed: um valor pré-preenchido que identifica o feed.
Espaço de nomes do recurso: espaço de nomes associado ao feed.
Etiquetas de carregamento: etiquetas aplicadas a todos os eventos deste feed.
Clique em Criar feed.

Para mais informações sobre a configuração de vários feeds para diferentes tipos de registos nesta família de produtos, consulte o artigo Configure feeds por produto.

Crie uma chave da API para um feed de webhook

Aceda à Google Cloud consola > Credenciais.

Aceder a Credenciais
Clique em Criar credenciais e, de seguida, selecione Chave de API.
Restrinja o acesso da chave de API à API Google Security Operations.

Configure o Jamf Protect para um feed de webhook

Na aplicação Jamf Protect, navegue para a configuração de ações relacionada.
Para adicionar um novo ponto final de dados, clique em Criar ações.
Selecione HTTP como protocolo.
Introduza o URL HTTPS do ponto final da API Google Security Operations no campo URL. (Este é o campo Informações do ponto final que copiou da configuração do feed de webhook. Já está no formato necessário.)
Ative a autenticação especificando a chave da API e a chave secreta como parte do cabeçalho personalizado no seguinte formato:
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
Recomendação: especifique a chave da API como um cabeçalho em vez de a especificar no URL. Se o seu cliente de webhook não suportar cabeçalhos personalizados, pode especificar a chave da API e a chave secreta através de parâmetros de consulta no seguinte formato:
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Substitua o seguinte:
- ENDPOINT_URL: o URL do ponto final do feed.
- API_KEY: a chave da API para autenticar no Google Security Operations.
- SECRET: a chave secreta que gerou para autenticar o feed.
Na secção Recolher registos, selecione Alertas e registos unificados.
Clique em Enviar.

Para mais informações sobre os feeds do Google Security Operations, consulte a documentação dos feeds do Google Security Operations. Para obter informações sobre os requisitos de cada tipo de feed, consulte o artigo Configuração do feed por tipo.

Se tiver problemas ao criar feeds, contacte o apoio técnico das operações de segurança da Google.

Tipos de registos do Jamf Protect suportados

A tabela seguinte indica os tipos de registos suportados pelo analisador Jamf Protect:

Tipo de evento	Nome a apresentar
GPClickEvent	Eventos de cliques sintéticos
GPDownloadEvent	Transferir eventos
GPFSEvent	Eventos do sistema de ficheiros
GPGatekeeperEvent	Eventos de gatekeeper
GPKeylogRegisterEvent	Eventos de keylogger
GPMRTEvent	Monitorize eventos
GPPreventedExecutionEvent	Eventos de lista de exclusão personalizados
GPProcessEvent	Processar eventos
GPThreatMatchExecEvent	Eventos de prevenção contra ameaças
GPUSBEvent	Eventos USB
GPUnifiedLogEvent	Eventos de registo unificados
Auth-mount	Eventos de controlos de dispositivos

Formatos de registo do Jamf Protect suportados

O analisador do Jamf Protect suporta registos no formato JSON.

Registos de exemplo do Jamf Protect suportados

JSON

{
  "input": {
    "match": {
      "custom": false,
      "facts": [
        {
          "actions": [
            {
              "name": "CacheFile",
              "parameters": {}
            },
            {
              "name": "Report",
              "parameters": {}
            }
          ],
          "human": "Login Hook created for persistence",
          "context": [
            {
              "name": "ItemBinary",
              "value": "\\/path\\/to\\/suspiciousfile.sh",
              "valueType": "Binary"
            },
            {
              "name": "Itemname",
              "value": "\\/path\\/to\\/suspiciousfile.sh",
              "valueType": "String"
            }
          ],
          "uuid": "dummyuuid",
          "version": 2,
          "severity": 0,
          "tags": [
            "MITREattack",
            "T1037.002",
            "BootOrLogonAutostartExecution",
            "Persistence"
          ],
          "name": "LoginHook"
        }
      ],
      "event": {
        "timestamp": 1676994504.698714,
        "uid": 0,
        "eventID": 9141,
        "prevFile": "\\/private\\/var\\/folders\\/zz\\/zyxvpxvq6csfxvn_n0000000000000\\/T\\/TemporaryItems\\/com.apple.loginwindow.plist.X0YcxtR",
        "iNode": 62898,
        "dev": 16777220,
        "uuid": "AE7F101A-09AA-4CD6-940F-15EC2073E476",
        "path": "\\/var\\/root\\/Library\\/Preferences\\/com.dummy.path.plist",
        "type": 3,
        "gid": 0,
        "pid": 148
      },
      "uuid": "1263F6F0-6891-4105-993F-6889AB3A3555",
      "context": [
        {
          "name": "ItemBinary",
          "value": "\\/path\\/to\\/suspiciousfile.sh",
          "valueType": "Binary"
        },
        {
          "name": "Itemname",
          "value": "\\/path\\/to\\/suspiciousfile.sh",
          "valueType": "String"
        }
      ],
      "severity": 0,
      "tags": [
        "T1037.002",
        "Persistence",
        "BootOrLogonAutostartExecution",
        "MITREattack"
      ],
      "actions": [
        {
          "name": "CacheFile",
          "parameters": {}
        },
        {
          "name": "Report",
          "parameters": {}
        }
      ]
    },
    "host": {
      "ips": [
        "192.51.100.1"
      ],
      "provisioningUDID": "8AD54CA5-F0DC-5434-8147-26D1D8A426CD",
      "hostname": "dummy-hostname",
      "serial": "dummyserial"
    },
    "eventType": "GPFSEvent",
    "related": {
      "users": [
        {
          "uid": 0,
          "name": "root",
          "uuid": "dummyuid"
        }
      ],
      "files": [
        {
          "xattrs": [],
          "sha256hex": "67fc9bde97641361d3b521a01f8b907269a4d6434f2db10e163a71b70178b3d1",
          "modified": 1676985886,
          "uid": 0,
          "changed": 1676985886,
          "sha1hex": "e3bc8f9c241f86e7138ba6cfb0e0e206b131a7e3",
          "isAppBundle": false,
          "isScreenShot": false,
          "path": "\\/var\\/root\\/Library\\/Preferences\\/com.apple.loginwindow.plist",
          "size": 42,
          "gid": 0,
          "inode": 62898,
          "mode": 33152,
          "isDownload": false,
          "created": 1676985886,
          "accessed": 1676985886,
          "fsid": 16777220,
          "signingInfo": {
            "status": -67062,
            "authorities": [],
            "teamid": "",
            "signerType": 4,
            "statusMessage": "code object is not signed at all",
            "entitlements": [],
            "appid": ""
          },
          "isDirectory": false
        }
      ],
      "binaries": [
        {
          "xattrs": [],
          "sha256hex": "9a282c0623110b57953bb74238f02704f729eb9779381eef851b2ebe7626f890",
          "modified": 1675935593,
          "uid": 0,
          "changed": 1675935593,
          "sha1hex": "454634df6b7cd32a4dcca9d346eb3efb34dc780d",
          "isAppBundle": false,
          "isScreenShot": false,
          "path": "\\/usr\\/sbin\\/cfprefsd",
          "size": 200608,
          "gid": 0,
          "inode": 1152921500312430765,
          "mode": 33261,
          "isDownload": false,
          "created": 1675935593,
          "accessed": 1675935593,
          "fsid": 16777220,
          "signingInfo": {
            "status": 0,
            "cdhash": "SXboWMc7MOtMM0K3pOxRjqR59w0=",
            "authorities": [
              "Software Signing",
              "Apple Code Signing Certification Authority",
              "Apple Root CA"
            ],
            "teamid": "",
            "signerType": 0,
            "statusMessage": "No error.",
            "entitlements": [],
            "appid": "com.dummy.domain"
          },
          "isDirectory": false
        }
      ],
      "groups": [
        {
          "gid": 0,
          "name": "wheel",
          "uuid": "FVFZQ5FDLYWG0"
        }
      ],
      "processes": [
        {
          "originalParentPID": 1,
          "uuid": "06D1425D-082A-4E11-81E4-75A9E3F2B8EF",
          "ruid": 0,
          "uid": 0,
          "startTimestamp": 1676976036,
          "ppid": 1,
          "path": "\\/usr\\/sbin\\/cfprefsd",
          "gid": 0,
          "rgid": 0,
          "args": [
            "\\/usr\\/sbin\\/cfprefsd",
            "daemon"
          ],
          "signingInfo": {
            "status": 0,
            "cdhash": "SXboWMc7MOtMM0K3pOxRjqR59w0=",
            "authorities": [
              "Software Signing",
              "Apple Code Signing Certification Authority",
              "Apple Root CA"
            ],
            "teamid": "",
            "signerType": 0,
            "statusMessage": "No error.",
            "entitlements": [],
            "appid": "com.dummy.domain"
          },
          "pid": 148,
          "name": "dummyhostname",
          "pgid": 148
        }
      ]
    }
  },
  "caid": "a2afe04d1360c01a0758ad3319c9af305f794801917b0c04648e4d7a9d7d746b",
  "certid": "05f5b0fa822a2f5e9a29f018853e8f2d99b94c8af38f40268a9479f2e6038e6b"
}

Referência de mapeamento de campos

Esta secção explica como o analisador do Google Security Operations mapeia os campos do Jamf Protect para os campos do modelo de dados unificado (UDM) do Google Security Operations.

Referência de mapeamento de campos: identificador do evento para tipo de evento

A tabela seguinte apresenta os JAMF_PROTECT tipos de registos e os respetivos tipos de eventos da UDM.

Event Identifier	Event Type
`GPClickEvent`	`SCAN_UNCATEGORIZED`
`GPDownloadEvent`	`SCAN_FILE`
`GPFSEvent`	`SCAN_FILE`
`GPGatekeeperEvent`	`SCAN_UNCATEGORIZED`
`GPKeylogRegisterEvent`	`SCAN_UNCATEGORIZED`
`GPMRTEvent`	`SCAN_UNCATEGORIZED`
`GPPreventedExecutionEvent`	`SCAN_UNCATEGORIZED`
`GPProcessEvent`	`SCAN_PROCESS`
`GPThreatMatchExecEvent`	`SCAN_UNCATEGORIZED`
`GPUSBEvent`	`SCAN_UNCATEGORIZED`
`GPUnifiedLogEvent`	`SCAN_UNCATEGORIZED`
`GPScreenshotEvent`	`SCAN_UNCATEGORIZED`
`Auth-mount`	`SCAN_UNCATEGORIZED`

Referência de mapeamento de campos: JAMF_PROTECT

A tabela seguinte apresenta os campos de registo do JAMF_PROTECT tipo de registo e os respetivos campos UDM.

Log field	UDM mapping	Logic
	`about.platform`	The `about.platform` UDM field is set to `MAC`.
`caid`	`about.labels[caid]` (deprecated)
`caid`	`additional.fields[caid]`
`certid`	`principal.asset.attribute.labels [certid]`
`context.identity.claims.certid`	`principal.user.attribute.permissions.description`
`context.identity.claims.clientid`	`principal.user.attribute.labels [context_identity_claims_clientid]`
`input.eventType`	`metadata.product_event_type`
`input.host.hostname`	`principal.hostname`
`input.host.ips`	`principal.ip`
`input.host.os`	`principal.platform_version`
`input.host.protectVersion`	`principal.asset.attribute.labels [input_host_protectversion]`
`input.match.version`	`additional.fields [input_match_version]`
`input.match.facts.matchReason`	`security_result.detection_fields [input_match_facts_matchreason]`
`input.related.files.objectType`	`additional.fields [input_related_files_objecttype]`
`input.host.provisioningUDID`	`principal.asset.product_object_id`
`input.host.serial`	`principal.asset.hardware.serial_number`
`input.match.actions.name`	`security_result.outcomes [input_match_actions_name]`
`input.match.actions.parameters.message`	`security_result.summary`	If the `index` value is equal to `0`, then the `input.match.actions.parameters.message` log field is mapped to the `security_result.summary` UDM field. Else, the `input.match.actions.parameters.message` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.actions.parameters.title`	`security_result.description`	If the `index` value is equal to `0`, then the `input.match.actions.parameters.title` log field is mapped to the `security_result.description` UDM field. Else, the `input.match.actions.parameters.title` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.context.name`	`security_result.detection_fields.key`
`input.match.context.value`	`security_result.detection_fields.value [Name]`
`input.match.context.valueType`
`input.match.custom`	`security_result.detection_fields [input_match_custom]`
`input.match.event.blocked`	`security_result.action`	If the `input.match.event.blocked` log field value is not empty, then the `security_result.action` UDM field is set to `BLOCK`.
`context.identity.claims.hd, input.match.uuid`	`security_result.url_back_to_product`	The `security_result.url_back_to_product` UDM field is set to `https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid`.
`input.match.event.category`	`security_result.category_details`
`input.match.event.clickType`	`principal.labels[input_match_event_click_type]` (deprecated)	If the `input.match.event.clickType` log field value is equal to `0`, then the `principal.labels.value` UDM field is set to `0 - Other`. Else, if the `input.match.event.clickType` log field value is equal to `1`, then the `principal.labels.value` UDM field is set to `1 - Left Down`. Else, if the `input.match.event.clickType` log field value is equal to `2`, then the `principal.labels.value` UDM field is set to `2 - Left Up`. Else, if the `input.match.event.clickType` log field value is equal to `3`, then the `principal.labels.value` UDM field is set to `3 - Right Down`. Else, if the `input.match.event.clickType` log field value is equal to `4`, then the `principal.labels.value` UDM field is set to `4 - Right Up`.
`input.match.event.clickType`	`additional.fields[input_match_event_click_type]`	If the `input.match.event.clickType` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - Other`. Else, if the `input.match.event.clickType` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Left Down`. Else, if the `input.match.event.clickType` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `2 - Left Up`. Else, if the `input.match.event.clickType` log field value is equal to `3`, then the `additional.fields.value.string_value` UDM field is set to `3 - Right Down`. Else, if the `input.match.event.clickType` log field value is equal to `4`, then the `additional.fields.value.string_value` UDM field is set to `4 - Right Up`.
`input.match.event.composedMessage`	`principal.labels[input_match_event_composed_message]` (deprecated)
`input.match.event.composedMessage`	`additional.fields[input_match_event_composed_message]`
`input.match.event.dev`	`principal.labels[input_match_event_dev]` (deprecated)
`input.match.event.dev`	`additional.fields[input_match_event_dev]`
`input.match.event.eventID`	`principal.labels[input_match_event_eventID]` (deprecated)
`input.match.event.eventID`	`additional.fields[input_match_event_eventID]`
`input.match.event.gid`	`principal.user.group_identifiers`
`input.match.event.iNode`	`target.file.stat_inode`
`input.match.event.matchType`	`principal.labels[input_match_event_match_type]` (deprecated)
`input.match.event.matchType`	`additional.fields[input_match_event_match_type]`
`input.match.event.matchValue`	`security_result.threat_name`	If the `input.match.event.matchType` log field value is not empty, then the `input.match.event.matchValue` log field is mapped to the `security_result.threat_name` UDM field.
`input.match.event.name`	`about.labels[input_match_event_name]` (deprecated)
`input.match.event.name`	`additional.fields[input_match_event_name]`
`input.match.facts.name`	`metadata.description`	If the `index` value is equal to `0`, then the `input.match.facts.name` log field is mapped to the `metadata.description` UDM field.
`input.match.event.path`	`target.process.file.full_path`
`input.match.event.pid`	`principal.process.pid`
`input.match.event.prevFile`	`src.file.full_path`	If the `input.match.event.prevFile` log field value is not empty, then the `input.match.event.prevFile` log field is mapped to the `src.file.full_path` UDM field.
`input.match.event.process`	`principal.process.file.names`
`input.match.event.process.args`	`target.process.command_line_history`
`input.match.event.process.gid`	`target.group.product_object_id`
`input.match.event.process.name`	`target.process.file.names`
`input.match.event.process.originalParentPID`	`target.process.parent_process.pid`
`input.match.event.process.path`	`target.process.file.full_path`
`input.match.event.process.pgid`	`target.labels[input_match_event_processes_pgid]` (deprecated)
`input.match.event.process.pgid`	`additional.fields[input_match_event_processes_pgid]`
`input.match.event.process.pid`	`target.process.pid`
`input.match.event.process.ppid`	`target.labels[input_match_event_process_ppid]` (deprecated)
`input.match.event.process.ppid`	`additional.fields[input_match_event_process_ppid]`
`input.match.event.process.responsiblePID`	`target.labels[input_match_event_process_responsible_pid]` (deprecated)
`input.match.event.process.responsiblePID`	`additional.fields[input_match_event_process_responsible_pid]`
`input.match.event.process.rgid`	`target.labels[input_match_event_process_rgid]` (deprecated)
`input.match.event.process.rgid`	`additional.fields[input_match_event_process_rgid]`
`input.match.event.process.ruid`	`target.labels[input_match_event_process_ruid]` (deprecated)
`input.match.event.process.ruid`	`additional.fields[input_match_event_process_ruid]`
`input.match.event.process.signingInfo.appid`	`target.user.attribute.labels [input_match_event_process_sign_appid]`
`input.match.event.process.signingInfo.authorities`	`target.user.attribute.permissions`
`input.match.event.process.signingInfo.cdhash`	`target.user.attribute.labels [input_match_event_process_sign_cdhash]`
`input.match.event.process.signingInfo.entitlements`	`target.user.attributes.permissions`
`input.match.event.process.signingInfo.signerType`	`target.user.attribute.labels [input_match_event_process_sign_signer_type]`	If the `input.related.process.signingInfo.signerType` log field value is equal to `0`, then the `target.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `1`, then the `target.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `2`, then the `target.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `3`, then the `target.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `4`, then the `target.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.match.event.process.signingInfo.status`	`target.user.attribute.labels [input_match_event_process_sign_status]`
`input.match.event.process.signingInfo.statusMessage`	`target.labels[input_match_event_process_sign_status_message]` (deprecated)
`input.match.event.process.signingInfo.statusMessage`	`additional.fields[input_match_event_process_sign_status_message]`
`input.match.event.process.signingInfo.teamid`	`target.user.group_identifiers`
`input.match.event.process.startTimestamp`	`target.labels[input_match_event_process_start_time_stamp]` (deprecated)
`input.match.event.process.startTimestamp`	`additional.fields[input_match_event_process_start_time_stamp]`
`input.match.event.process.uid`	`target.labels[input_match_event_process_uid]` (deprecated)
`input.match.event.process.uid`	`additional.fields[input_match_event_process_uid]`
`input.match.event.process.uuid`	`target.process.product_specific_process_id`	The `Process Uuid: input.match.event.process.uuid` log field is mapped to the `target.process.product_specific_process_id` UDM field.
`input.match.event.processIdentifier`	`target.process.pid`
`input.match.event.processImagePath`	`target.process.file.full_path`
`input.match.event.rateLimitingSecs`	`principal.labels[input_match_event_rate_limiting_secs]` (deprecated)
`input.match.event.rateLimitingSecs`	`additional.fields[input_match_event_rate_limiting_secs]`
`input.match.event.scriptPath`	`principal.labels[input_match_event_script_path]` (deprecated)
`input.match.event.scriptPath`	`additional.fields[input_match_event_script_path]`
`input.match.event.sender`	`principal.labels[input_match_event_sender]` (deprecated)
`input.match.event.sender`	`additional.fields[input_match_event_sender]`
`input.match.event.senderImagePath`	`principal.labels[input_match_event_sender_image_path]` (deprecated)
`input.match.event.senderImagePath`	`additional.fields[input_match_event_sender_image_path]`
`input.match.event.subsystem`	`principal.labels[input_match_event_subsystem]` (deprecated)
`input.match.event.subsystem`	`additional.fields[input_match_event_subsystem]`
`input.match.event.subType`	`principal.labels[input_match_event_sub_type]` (deprecated)	If the `input.match.event.subType` log field value is equal to `7`, then the `principal.labels.value` UDM field is set to `7 - Exec`. Else, if the `input.match.event.subType` log field value is equal to `2`, then the `principal.labels.value` UDM field is set to `2 - Fork`. Else, if the `input.match.event.subType` log field value is equal to `1`, then the `principal.labels.value` UDM field is set to `1 - Exit`. Else, if the `input.match.event.subType` log field value is equal to `23`, then the `principal.labels.value` UDM field is set to `23 - Execve`. Else, if the `input.match.event.subType` log field value is equal to `43190`, then the `principal.labels.value` UDM field is set to `43190 - Posix Spawn`.
`input.match.event.subType`	`additional.fields[input_match_event_sub_type]`	If the `input.match.event.subType` log field value is equal to `7`, then the `additional.fields.value.string_value` UDM field is set to `7 - Exec`. Else, if the `input.match.event.subType` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `2 - Fork`. Else, if the `input.match.event.subType` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Exit`. Else, if the `input.match.event.subType` log field value is equal to `23`, then the `additional.fields.value.string_value` UDM field is set to `23 - Execve`. Else, if the `input.match.event.subType` log field value is equal to `43190`, then the `additional.fields.value.string_value` UDM field is set to `43190 - Posix Spawn`.
`input.match.event.tags`	`security_result.rule_labels [input_match_event_tags]`
`input.match.event.targetpid`	`target.process.pid`
`input.match.event.timestamp`	`metadata.event_timestamp`
`input.match.event.type`	`target.labels[input_match_event_type]` (deprecated)	If the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `0`, then the `target.labels.value` UDM field is set to `0 - Created`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `1`, then the `target.labels.value` UDM field is set to `1 - Deleted`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `3`, then the `target.labels.value` UDM field is set to `3 - Renamed`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `4`, then the `target.labels.value` UDM field is set to `4 - Modified`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `7`, then the `target.labels.value` UDM field is set to `7 - Created Dir`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `0`, then the `target.labels.value` UDM field is set to `0 - None`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `1`, then the `target.labels.value` UDM field is set to `1 - Create`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `2`, then the `target.labels.value` UDM field is set to `0 - Exit`.
`input.match.event.type`	`additional.fields[input_match_event_type]`	If the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - Created`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Deleted`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `3`, then the `additional.fields.value.string_value` UDM field is set to `3 - Renamed`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `4`, then the `additional.fields.value.string_value` UDM field is set to `4 - Modified`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `7`, then the `additional.fields.value.string_value` UDM field is set to `7 - Created Dir`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - None`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Create`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `0 - Exit`.
`input.match.event.uid`	`principal.user.userid`
`input.match.event.uuid`	`about.labels[input_match_event_uuid]` (deprecated)
`input.match.event.uuid`	`additional.fields[input_match_event_uuid]`
`input.match.facts.actions.name`	`security_result.action_details`	If the `index` value is equal to `0`, then the `input.match.facts.actions.name` log field is mapped to the `security_result.action_details` UDM field. Else, the `input.match.facts.actions.name` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.match.facts.actions.parameters.id`	`security_result.detection_fields [input_match_facts_actions_parameters_id]`
`input.match.facts.actions.parameters.message`	`security_result.detection_fields [input_match_facts_actions_parameters_message]`
`input.match.facts.actions.parameters.title`	`security_result.detection_fields [input_match_facts_actions_parameters_title]`
`input.match.facts.context.name`	`security_result.detection_fields.key`
`input.match.facts.context.value`	`security_result.detection_fields.value [Name]`
`input.match.facts.context.valueType`
`input.match.facts.human`	`security_result.action`	If the `input.match.facts.human` log field value is matched with regex `(?i)blocked`, then the `security_result.action` UDM field is set to `BLOCK`.
`input.match.facts.human`	`security_result.description`	If the `index` value is equal to `0`, then the `input.match.facts.human` log field is mapped to the `security_result.description` UDM field. Else, the `input.match.facts.human` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.facts.name`	`security_result.summary`	If the `index` value is equal to `0`, then the `input.match.facts.name` log field is mapped to the `security_result.summary` UDM field. Else, the `input.match.facts.name` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.facts.severity`	`security_result.detection_fields [input_match_facts_severity]`
`input.match.facts.tags`	`security_result.rule_labels [input_match_facts_tags]`
`input.match.facts.uuid`	`about.labels [input_match_facts_uuid]`
`input.match.facts.version`	`about.labels [input_match_facts_version]`
`input.match.severity`	`security_result.severity`	If the `severity` log field value is equal to `0`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, if the `severity` log field value is equal to `1`, then the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value is equal to `2`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value is equal to `3`, then the `security_result.severity` UDM field is set to `HIGH`.
`input.match.tags`	`security_result.rule_labels [input_match_tags]`
`input.match.uuid`	`metadata.product_log_id`
`input.related.binaries.accessed`	`security_result.about.labels [input_related_binaries_accessed]`
`input.related.binaries.changed`	`security_result.about.labels [input_related_binaries_changed]`
`input.related.binaries.created`	`security_result.about.file.first_seen_time`	If the `index` value is equal to `0`, then the `input.related.binaries.created` log field is mapped to the `security_result.about.file.first_seen_time` UDM field. Else, the `input.related.binaries.created` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.fsid`	`security_result.about.labels [input_related_binaries_fsid]`
`input.related.binaries.gid`	`security_result.about.labels [input_related_binaries_gid]`
`input.related.binaries.inode`	`security_result.about.file.stat_inode`	If the `index` value is equal to `0`, then the `input.related.binaries.inode` log field is mapped to the `security_result.about.file.stat_inode` UDM field. Else, the `input.related.binaries.inode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.isAppBundle`	`security_result.about.labels [isAppBundle]`
`input.related.binaries.isDirectory`	`security_result.about.labels [isDirectory]`
`input.related.binaries.isDownload`	`security_result.about.labels [isDownload]`
`input.related.binaries.isScreenShot`	`security_result.about.labels [isScreenShot]`
`input.related.binaries.mode`	`security_result.about.file.stat_mode`	If the `index` value is equal to `0`, then the `input.related.binaries.mode` log field is mapped to the `security_result.about.file.stat_mode` UDM field. Else, the `input.related.binaries.mode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.modified`	`security_result.about.file.last_modification_time`	If the `index` value is equal to `0`, then the `input.related.binaries.modified` log field is mapped to the `security_result.about.file.last_modification_time` UDM field. Else, the `input.related.binaries.modified` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.path`	`security_result.about.file.full_path`	If the `index` value is equal to `0`, then the `input.related.binaries.path` log field is mapped to the `security_result.about.file.full_path` UDM field. Else, the `input.related.binaries.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.sha1hex`	`security_result.about.file.sha1`	If the `index` value is equal to `0`, then the `input.related.binaries.sha1hex` log field is mapped to the `security_result.about.file.sha1` UDM field. Else, the `input.related.binaries.sha1hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.sha256hex`	`security_result.about.file.sha256`	If the `index` value is equal to `0`, then the `input.related.binaries.sha256hex` log field is mapped to the `security_result.about.file.sha256` UDM field. Else, the `input.related.binaries.sha256hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.binaries.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.binaries.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.signingInfo.authorities`	`security_result.about.user.attribute.permissions`
`input.related.binaries.signingInfo.cdhash`	`security_result.about.labels [input_related_binaries_sign_cdhash]`
`input.related.binaries.signingInfo.entitlements`	`security_result.about.user.attribute.permisisons`
`input.related.binaries.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type]`	If the `input.related.binaries.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.binaries.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_binaries_sign_status]`
`input.related.binaries.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_processes_sign_status_message]`
`input.related.binaries.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.binaries.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.binaries.signingInfo.teamid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.binaries.size`	`security_result.about.file.size`	If the `index` value is equal to `0`, then the `input.related.binaries.size` log field is mapped to the `security_result.about.file.size` UDM field. Else, the `input.related.binaries.size` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.binaries.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.binaries.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.binaries.xattrs`	`security_result.about.user.attribute.labels [input_related_binaries_xattrs]`
`input.related.files.accessed`	`security_result.about.labels [input_related_files_accessed]`
`input.related.files.changed`	`security_result.about.labels [input_related_files_changed]`
`input.related.files.created`	`security_result.about.labels [input_related_files_created]`
`input.related.files.downloadedFrom`	`security_result.about.labels [input_related_files_downloaded_from]`
`input.related.files.fsid`	`security_result.about.labels [input_related_files_downloaded_fsid]`
`input.related.files.gid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.files.gid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.files.gid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.inode`	`security_result.about.file.stat_inode`	If the `index` value is equal to `0`, then the `input.related.files.inode` log field is mapped to the `security_result.about.file.stat_inode` UDM field. Else, the `input.related.files.inode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.isAppBundle`	`security_result.about.labels [input_related_files_downloaded_is_app_bundle]`
`input.related.files.isDirectory`	`security_result.about.labels [input_related_files_is_directory]`
`input.related.files.isDownload`	`security_result.about.labels [input_related_files_is_download]`
`input.related.files.isScreenShot`	`security_result.about.labels [input_related_files_is_screenshot]`
`input.related.files.mode`	`security_result.about.file.stat_mode`	If the `index` value is equal to `0`, then the `input.related.files.mode` log field is mapped to the `security_result.about.file.stat_mode` UDM field. Else, the `input.related.files.mode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.modified`	`security_result.about.file.last_modification_time`	If the `index` value is equal to `0`, then the `input.related.files.modified` log field is mapped to the `security_result.about.file.last_modification_time` UDM field. Else, the `input.related.files.modified` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.path`	`security_result.about.file.full_path`	If the `index` value is equal to `0`, then the `input.related.files.path` log field is mapped to the `security_result.about.file.full_path` UDM field. Else, the `input.related.files.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.sha1hex`	`security_result.about.file.sha1`	If the `index` value is equal to `0`, then the `input.related.files.sha1hex` log field is mapped to the `security_result.about.file.sha1` UDM field. Else, the `input.related.files.sha1hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.sha256hex`	`security_result.about.file.sha256`	If the `index` value is equal to `0`, then the `input.related.files.sha256hex` log field is mapped to the `security_result.about.file.sha256` UDM field. Else, the `input.related.files.sha256hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.files.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.files.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.signingInfo.authorities`	`security_result.about.user.attribute.permissions`
`input.related.files.signingInfo.cdhash`	`security_result.about.labels [[input_related_files_sign_cdhash]`
`input.related.files.signingInfo.entitlements`	`security_result.about.user.attribute.permissions`
`input.related.files.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type]`	If the `input.related.files.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.files.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_files_signing_info_status]`
`input.related.files.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_files_signing_info_status_message]`
`input.related.files.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.files.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.files.signingInfo.teamid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.files.size`	`security_result.about.file.size`	If the `index` value is equal to `0`, then if the `input.related.files.size` log field value is not equal to `0`, then the `input.related.files.size` log field is mapped to the `security_result.about.file.size` UDM field. Else, the `input.related.files.size` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.files.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.files.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.files.xattrs`	`security_result.about.labels [input_related_files_xattrs]`
`input.related.groups.gid`	`security_result.about.group.attribute.labels [input_related_groups_gid]`
`input.related.groups.name`	`security_result.about.group.group_display_name`	If the `index` value is equal to `0`, then the `input.related.groups.name` log field is mapped to the `security_result.about.group.group_display_name` UDM field. Else, the `input.related.groups.name` log field is mapped to the `security_result.about.group.attribute.labels.value` UDM field.
`input.related.groups.uuid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.groups.uuid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.groups.uuid` log field is mapped to the `security_result.about.group.attribute.labels.value` UDM field.
`input.related.processes.appPath`	`security_result.about.labels [input_related_processes_app_path]`
`input.related.processes.args`	`security_result.about.process.command_line_history`
`input.related.processes.exitCode`	`security_result.about.labels [input_related_processes_exit_code]`
`input.related.processes.gid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.processes.gid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.processes.gid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.name`	`security_result.about.process.file.names`
`input.related.processes.originalParentPID`	`security_result.about.process.parent_process.pid`	If the `index` value is equal to `0`, then the `input.related.processes.originalParentPID` log field is mapped to the `security_result.about.process.parent_process.pid` UDM field. Else, the `input.related.processes.originalParentPID` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.path`	`security_result.about.process.file.full_path`	If the `index` value is equal to `0`, then the `input.related.processes.path` log field is mapped to the `security_result.about.process.file.full_path` UDM field. Else, the `input.related.processes.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.pgid`	`security_result.about.labels [input_related_process_pgid]`
`input.related.processes.pid`	`security_result.about.process.pid`	If the `index` value is equal to `0`, then the `input.related.processes.pid` log field is mapped to the `security_result.about.process.pid` UDM field. Else, the `input.related.processes.pid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.ppid`	`security_result.about.labels [input_related_processes_ppid]`
`input.related.processes.responsiblePID`	`security_result.about.labels [input_related_processes_responsible_pid]`
`input.related.processes.rgid`	`security_result.about.labels [input_related_processes_rgid]`
`input.related.processes.ruid`	`security_result.about.labels [input_related_processes_ruid]`
`input.related.processes.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.processes.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.processes.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.signingInfo.authorities`	`security_result.about.user.attributes.permission`
`input.related.processes.signingInfo.cdhash`	`security_result.about.user.attribute.labels [input_related_processes_sign_cdhash]`
`input.related.processes.signingInfo.entitlements`	`security_result.about.user.attributes.permission`
`input.related.processes.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_processes_sign_signer_type]`	If the `input.related.processes.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.processes .signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.processes.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_processes_sign_status]`
`input.related.processes.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_processes_sign_status_message]`
`input.related.processes.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.processes.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.processes.signingInfo.teamid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.startTimestamp`	`security_result.about.labels [input_related_processes_start_time_stamp]`
`input.related.processes.tty`	`security_result.about.labels [input_related_processes_tty]`
`input.related.processes.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.processes.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.processes.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.processes.uuid`	`security_result.about.process.product_specific_process_id`	If the `index` value is equal to `0`, then the `Process Uuid: input.related.processes.uuid` log field is mapped to the `security_result.about.process.product_specific_process_id` UDM field. Else, the `input.related.processes.uuid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.users.name`	`security_result.about.user.user_display_name`	If the `index` value is equal to `0`, then the `input.related.users.name` log field is mapped to the `security_result.about.user.user_display_name` UDM field. Else, the `input.related.users.name` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.users.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.users.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.users.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.users.uuid`	`security_result.about.user.product_object_id`	If the `index` value is equal to `0`, then the `input.related.users.uuid` log field is mapped to the `security_result.about.user.product_object_id` UDM field. Else, the `input.related.users.uuid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`key`	`about.labels[key]` (deprecated)
`key`	`additional.fields[key]`
`path`	`target.file.full_path`	If the `index` value is equal to `0`, then the `path` log field is mapped to the `target.file.full_path` UDM field. Else, the `path` log field is mapped to the `target.labels.value` UDM field.
`queue`	`principal.labels[queue]` (deprecated)
`queue`	`additional.fields[queue]`
`region`	`principal.location.name`
`timestamp`	`metadata.creation_timestamp`
`topic`	`about.labels[topic]` (deprecated)
`topic`	`additional.fields[topic]`
`topicType`	`about.labels[topicType]` (deprecated)
`topicType`	`additional.fields[topicType]`
`version`	`metadata.product_version`
`input.eventType`	`metadata.event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `JAMF_PROTECT`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `JAMF`.
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `STORAGE_BUCKET`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `STORAGE_BUCKET`.
`input.match.event.options`	`about.labels[input_match_event_options]` (deprecated)
`input.match.event.options`	`additional.fields[input_match_event_options]`
`input.match.event.sourcePID`	`principal.process.pid`
`input.match.event.destinationPID`	`target.process.pid`
`image.match.event.detection`	`security_result.detection_fields [image_match_event_detection]`
`input.match.type`	`target.asset.attribute.labels [input_match_type]`	If the `input.match.type` log field value is equal to `0`, then the `target.asset.attribute.labels.value` UDM field is set to `0 - Device Inserted`. Else, if the `input.match.type` log field value is equal to `1`, then the `target.asset.attribute.labels.value` UDM field is set to `1 - Device Removed`.
`input.match.usbAddress`	`target.asset.attribute.labels [input_match_usb_address]`
`input.match.event.device.mediaPath`	`target.asset.attribute.labels [input_match_device_media_path]`
`input.match.event.device.protocol`	`target.asset.attribute.labels [input_match_device_protocol]`
`input.match.event.device.deviceModel`	`target.asset.hardware.model`
`input.match.event.device.isRemovable`	`target.asset.attribute.labels [input_match_device_is_removable]`
`input.match.event.device.mediaName`	`target.asset.attribute.labels [input_match_device_media_name]`
`input.match.event.device.bsdMinor`	`target.asset.attribute.labels [input_match_device_bsd_minor]`
`input.match.event.device.vendorName`	`target.asset.software.vendor_name`
`input.match.event.device.isWhole`	`target.asset.attribute.labels [input_match_device_is_whole]`
`input.match.event.device.unit`	`target.asset.attribute.labels [input_match_device_unit]`
`input.match.event.device.deviceSubclass`	`target.asset.attribute.labels [input_match_device_subclass]`
`input.match.event.device.serialNumber`	`target.asset.hardware.serial`
`input.match.event.device.bsdUnit`	`target.asset.attribute.labels [input_match_device_bsd_unit]`
`input.match.event.device.busPath`	`target.asset.attribute.labels [input_match_device_bus_path]`
`input.match.event.device.isLeaf`	`target.asset.attribute.labels [input_match_device_is_leaf]`
`input.match.event.device.isInternal`	`target.asset.attribute.labels [input_match_device_is_internal]`
`input.match.event.device.busName`	`target.asset.attribute.labels [input_match_device_bus_name]`
`input.match.event.device.bsdMajor`	`target.asset.attribute.labels [input_match_device_bsd_major]`
`input.match.event.device.isEjectable`	`target.asset.attribute.labels [input_match_device_is_ejectable]`
`input.match.event.device.isEncrypted`	`target.asset.attribute.labels [input_match_device_is_encrypted]`
`input.match.event.device.isEncryptable`	`target.asset.attribute.labels [input_match_device_is_encryptable]`
`input.match.event.device.devicePath`	`target.asset.attribute.labels [input_match_device_path]`
`input.match.event.device.bsdName`	`target.asset.attribute.labels [input_match_device_bsd_name]`
`input.match.event.device.vendorId`	`target.asset.attribute.labels [input_match_device_vendor_id]`
`input.match.event.device.content`	`target.asset.attribute.labels [input_match_device_content]`
`input.match.event.device.revision`	`target.asset.attribute.labels [input_match_device_revision]`
`input.match.event.device.size`	`target.asset.attribute.labels [input_match_device_size]`
`input.match.event.device.isNetworkVolume`	`target.asset.attribute.labels [input_match_device_is_network_volume]`
`input.match.event.device.blocksize`	`target.asset.attribute.labels [input_match_device_block_size]`
`input.match.event.device.productName`	`target.asset.attribute.labels [input_match_device_product_name]`
`input.match.event.device.mediaKind`	`target.asset.attribute.labels [input_match_device_media_kind]`
`input.match.event.device.isWritable`	`target.asset.attribute.labels [input_match_device_is_writable]`
`input.match.event.device.productId`	`target.asset.product_object_id`
`input.match.event.device.productId`	`target.asset.asset_id`	The `Asset Id: input.match.event.device.productId` log field is mapped to the `target.asset.asset_id` UDM field.
`input.match.event.device.deviceClass`	`target.asset.category`
`input.match.event.device.encryptionDetail`	`target.asset.attribute.labels [input_match_device_encryption_detail]`
`input.match.event.device.volumeKind`	`target.asset.attribute.labels [input_match_event_device_volume_kind]`
`input.match.event.device.volumeName`	`target.asset.attribute.labels [input_match_event_device_volume_name]`
`input.match.event.device.volumeType`	`target.asset.attribute.labels [input_match_event_device_volume_type]`
`input.match.event.device.isMountable`	`target.asset.attribute.labels [input_match_event_device_is_mountable]`
`input.match.event.device.encryptionDetail`	`target.asset.attribute.labels [input_match_event_device_encryption_detail]`
`input.match.event.fsid`	`principal.labels [input_match_event_fsid]`
`input.match.event.bfree`	`principal.labels[input_match_event_bfree]` (deprecated)
`input.match.event.bfree`	`additional.fields[input_match_event_bfree]`
`input.match.event.bsize`	`principal.labels[input_match_event_bsize]` (deprecated)
`input.match.event.bsize`	`additional.fields[input_match_event_bsize]`
`input.match.event.ffree`	`principal.labels[input_match_event_ffree]` (deprecated)
`input.match.event.ffree`	`additional.fields[input_match_event_ffree]`
`input.match.event.files`	`principal.labels[input_match_event_files]` (deprecated)
`input.match.event.files`	`additional.fields[input_match_event_files]`
`input.match.event.flags`	`principal.labels[input_match_event_flags]` (deprecated)
`input.match.event.flags`	`additional.fields[input_match_event_flags]`
`input.match.event.owner`	`principal.user.user_display_name`
`input.match.event.bavail`	`principal.labels[input_match_event_bvail]` (deprecated)
`input.match.event.bavail`	`additional.fields[input_match_event_bvail]`
`input.match.event.blocks`	`principal.labels[input_match_event_blocks]` (deprecated)
`input.match.event.blocks`	`additional.fields[input_match_event_blocks]`
`input.match.event.iosize`	`principal.labels[input_match_event_iosize]` (deprecated)
`input.match.event.iosize`	`additional.fields[input_match_event_iosize]`
`input.match.event.version`	`principal.labels[input_match_event_version]` (deprecated)
`input.match.event.version`	`additional.fields[input_match_event_version]`
`input.match.event.deadline`	`principal.labels[input_match_event_deadline]` (deprecated)
`input.match.event.deadline`	`additional.fields[input_match_event_deadline]`
`input.match.event.flagsExt`	`principal.labels[input_match_event_flags_ext]` (deprecated)
`input.match.event.flagsExt`	`additional.fields[input_match_event_flags_ext]`
`input.match.event.fsSubType`	`principal.labels[input_match_event_fs_subtype]` (deprecated)
`input.match.event.fsSubType`	`additional.fields[input_match_event_fs_subtype]`
`input.match.event.mntOnName`	`principal.labels[input_match_event_mnt_on_name]` (deprecated)
`input.match.event.mntOnName`	`additional.fields[input_match_event_mnt_on_name]`
`input.match.event.fsTypeName`	`principal.labels[input_match_event_fs_type_name]` (deprecated)
`input.match.event.fsTypeName`	`additional.fields[input_match_event_fs_type_name]`
`input.match.event.isReadOnly`	`principal.labels[input_match_event_is_read_only]` (deprecated)
`input.match.event.isReadOnly`	`additional.fields[input_match_event_is_read_only]`
`input.match.event.mntFromName`	`principal.labels[input_match_event_mnt_from_name]` (deprecated)
`input.match.event.mntFromName`	`additional.fields[input_match_event_mnt_from_name]`
`input.match.event.machTimestamp`	`principal.labels[input_match_event_mach_timestamp]` (deprecated)
`input.match.event.machTimestamp`	`additional.fields[input_match_event_mach_timestamp]`
`input.match.event.sequenceNumber`	`principal.labels[input_match_event_seq_number]` (deprecated)
`input.match.event.sequenceNumber`	`additional.fields[input_match_event_seq_number]`
`input.match.event.globalSequenceNumber`	`principal.labels[input_match_event_global_seq_number]` (deprecated)
`input.match.event.globalSequenceNumber`	`additional.fields[input_match_event_global_seq_number]`

O que se segue?

Carregamento de dados para o Google Security Operations

Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.