本頁面由 Cloud Translation API 翻譯而成。

收集 Jamf Protect 記錄

支援的國家/地區：

Google SecOps SIEM

本文說明如何設定 Google Security Operations 資訊提供，藉此收集 Jamf Protect 記錄，以及記錄欄位如何對應至 Google Security Operations Unified Data Model (UDM) 欄位。這份文件也列出支援的 Jamf Protect 版本。

詳情請參閱「將資料擷取至 Google Security Operations」。

一般部署作業包含 Jamf Protect 和 Google Security Operations 資訊提供，設定為將記錄傳送至 Google Security Operations。每個客戶的部署作業可能有所不同，而且可能更為複雜。

部署作業包含下列元件：

Jamf Protect。您要從哪個 Jamf Protect 平台收集記錄。
Google Security Operations 摘要。Google Security Operations 資訊提供，可從 Jamf Protect 擷取記錄，並將記錄寫入 Google Security Operations。
Google Security Operations。Google Security Operations 會保留及分析 Jamf Protect 的記錄檔。

擷取標籤會識別剖析器，該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 JAMF_PROTECT 攝入標籤的剖析器。

事前準備

請確認您已完成下列事前準備事項：

已設定 Jamf Protect
Jamf Protect 4.0.0 以上版本
部署架構中的所有系統都已設定為世界標準時間時區。

設定動態饋給

在 Google SecOps 平台中，有兩種不同的進入點可設定動態饋給：

「SIEM 設定」>「動態消息」
內容中心 > 內容包

依序前往「SIEM 設定」>「動態消息」，設定動態消息

您可以使用 Amazon S3 或 Webhook 在 Google SecOps 中設定擷取動態饋給，但建議使用 Amazon S3。

使用 Amazon S3 在 Google SecOps 中設定擷取動態饋給

如要為這個產品系列中的不同記錄類型設定多個動態饋給，請參閱「依產品設定動態饋給」。

如要設定單一動態饋給，請按照下列步驟操作：

依序前往「SIEM 設定」>「動態饋給」。
按一下「新增動態消息」。
在下一個頁面中，按一下「設定單一動態饋給」。
在「動態饋給名稱」欄位中輸入動態饋給名稱，例如「Jamf Protect Logs」。
選取「Amazon S3」做為「來源類型」。
如要為 Jamf Protect 建立動態消息，請選取「Jamf Protect Alerts」(Jamf Protect 警報) 做為「Log type」(記錄類型)。
點選「下一步」。
儲存動態饋給，然後提交。
從動態消息名稱複製動態消息 ID，以便在 Jamf Protect 中使用。

使用 Webhook 在 Google SecOps 中設定擷取動態饋給

僅適用於 Google Security Operations Unified 客戶：
如要為這個產品系列中的不同記錄類型設定多個動態饋給，請參閱「設定多個動態饋給」。

所有客戶：
如要設定單一動態饋給，請按照下列步驟操作：

依序前往「SIEM 設定」>「動態饋給」。
按一下「新增動態消息」。
在下一個頁面中，按一下「設定單一動態饋給」。如果您使用 Google SecOps SIEM 獨立平台，請略過這個步驟。
在「動態饋給名稱」欄位中，輸入動態饋給的名稱，例如「Jamf Protect Webhook Logs」。
在「Source type」(來源類型) 清單中，選取「Webhook」(Webhook)。
如要為 Jamf Protect 建立動態消息，請選取「Jamf Protect Alerts」(Jamf Protect 警報) 做為「Log type」(記錄類型)。
點選「下一步」。
選用：指定下列輸入參數的值：
- 分割分隔符號：用於分隔記錄行的分隔符號，例如 \n。
- 資產命名空間：資產命名空間。
- 擷取標籤：要套用至這個動態饋給事件的標籤。
點選「下一步」。
在「Finalize」畫面上檢查新的動態饋給設定，然後按一下「Submit」。
按一下「產生密鑰」，產生驗證這個動態消息的密鑰。
複製並儲存「密鑰」。您無法再次查看這個密鑰。如有需要，您可以重新產生新的密鑰，但這項操作會使先前的密鑰失效。
在「詳細資料」分頁中，從「端點資訊」欄位複製動態消息端點網址。您需要這個 HTTPS 網址來設定 Jamf Protect 用戶端應用程式。
按一下 [完成]。

從內容中心設定動態饋給

為下列欄位指定值：

區域：Amazon S3 值區所在的區域。
S3 URI：bucket URI。
- s3://your-log-bucket-name/
  - 請將 your-log-bucket-name 替換為 S3 值區的實際名稱。
URI 是：根據 bucket 結構，選取「Directory」(目錄) 或「Directory which includes subdirectories」(包含子目錄的目錄)。
來源刪除選項：根據擷取偏好設定選取刪除選項。
存取金鑰 ID：具備 S3 值區讀取權限的使用者存取金鑰。
存取密鑰：使用者的存取密鑰，具備從 S3 bucket 讀取的權限。

進階選項

動態饋給名稱：系統預先填入的值，用於識別動態饋給。
來源類型：將記錄收集到 Google SecOps 的方法。
資產命名空間：與動態饋給相關聯的命名空間。
擷取標籤：套用至這個動態饋給所有事件的標籤。

為 Webhook 動態饋給建立 API 金鑰

依序前往 Google Cloud 控制台 >「憑證」。

前往「憑證」
按一下 [Create credentials] (建立憑證)，然後選取 [API key] (API 金鑰)。
將 API 金鑰存取權限制在 Google Security Operations API。

為 Webhook 動態饋給設定 Jamf Protect

在 Jamf Protect 應用程式中，前往相關的「動作設定」。
如要新增資料端點，請按一下「建立動作」。
選取「HTTP」做為通訊協定。
在「URL」欄位中，輸入 Google Security Operations API 端點的 HTTPS 網址。(這是您從 Webhook 摘要設定複製的「端點資訊」欄位。(已經是所需格式)。
指定 API 金鑰和密鑰，以啟用驗證，格式如下：
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
建議：請將 API 金鑰指定為標頭，而非在網址中指定。如果 Webhook 用戶端不支援自訂標頭，您可以使用查詢參數指定 API 金鑰和密鑰，格式如下：
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
更改下列內容：
- ENDPOINT_URL：動態消息端點網址。
- API_KEY：用於向 Google Security Operations 進行驗證的 API 金鑰。
- SECRET：您產生的密鑰，用於驗證動態饋給。
在「收集記錄」部分中，選取「快訊和整合記錄」。
按一下「提交」。

如要進一步瞭解 Google Security Operations 動態消息，請參閱 Google Security Operations 動態消息說明文件。如要瞭解各動態饋給類型的規定，請參閱「依類型設定動態饋給」。

如果在建立動態饋給時遇到問題，請與 Google Security Operations 支援團隊聯絡。

支援的 Jamf Protect 記錄類型

下表列出 Jamf Protect 剖析器支援的記錄類型：

事件類型	顯示名稱
GPClickEvent	綜合點擊事件
GPDownloadEvent	下載活動
GPFSEvent	檔案系統事件
GPGatekeeperEvent	把關事件
GPKeylogRegisterEvent	鍵盤側錄程式事件
GPMRTEvent	監控事件
GPPreventedExecutionEvent	自訂禁止清單事件
GPProcessEvent	處理事件
GPThreatMatchExecEvent	威脅防護事件
GPUSBEvent	USB Events
GPUnifiedLogEvent	統一記錄事件
Auth-mount	裝置控制事件

支援的 Jamf Protect 記錄格式

Jamf Protect 剖析器支援 JSON 格式的記錄。

支援的 Jamf Protect 記錄檔範例

JSON

{
  "input": {
    "match": {
      "custom": false,
      "facts": [
        {
          "actions": [
            {
              "name": "CacheFile",
              "parameters": {}
            },
            {
              "name": "Report",
              "parameters": {}
            }
          ],
          "human": "Login Hook created for persistence",
          "context": [
            {
              "name": "ItemBinary",
              "value": "\\/path\\/to\\/suspiciousfile.sh",
              "valueType": "Binary"
            },
            {
              "name": "Itemname",
              "value": "\\/path\\/to\\/suspiciousfile.sh",
              "valueType": "String"
            }
          ],
          "uuid": "dummyuuid",
          "version": 2,
          "severity": 0,
          "tags": [
            "MITREattack",
            "T1037.002",
            "BootOrLogonAutostartExecution",
            "Persistence"
          ],
          "name": "LoginHook"
        }
      ],
      "event": {
        "timestamp": 1676994504.698714,
        "uid": 0,
        "eventID": 9141,
        "prevFile": "\\/private\\/var\\/folders\\/zz\\/zyxvpxvq6csfxvn_n0000000000000\\/T\\/TemporaryItems\\/com.apple.loginwindow.plist.X0YcxtR",
        "iNode": 62898,
        "dev": 16777220,
        "uuid": "AE7F101A-09AA-4CD6-940F-15EC2073E476",
        "path": "\\/var\\/root\\/Library\\/Preferences\\/com.dummy.path.plist",
        "type": 3,
        "gid": 0,
        "pid": 148
      },
      "uuid": "1263F6F0-6891-4105-993F-6889AB3A3555",
      "context": [
        {
          "name": "ItemBinary",
          "value": "\\/path\\/to\\/suspiciousfile.sh",
          "valueType": "Binary"
        },
        {
          "name": "Itemname",
          "value": "\\/path\\/to\\/suspiciousfile.sh",
          "valueType": "String"
        }
      ],
      "severity": 0,
      "tags": [
        "T1037.002",
        "Persistence",
        "BootOrLogonAutostartExecution",
        "MITREattack"
      ],
      "actions": [
        {
          "name": "CacheFile",
          "parameters": {}
        },
        {
          "name": "Report",
          "parameters": {}
        }
      ]
    },
    "host": {
      "ips": [
        "192.51.100.1"
      ],
      "provisioningUDID": "8AD54CA5-F0DC-5434-8147-26D1D8A426CD",
      "hostname": "dummy-hostname",
      "serial": "dummyserial"
    },
    "eventType": "GPFSEvent",
    "related": {
      "users": [
        {
          "uid": 0,
          "name": "root",
          "uuid": "dummyuid"
        }
      ],
      "files": [
        {
          "xattrs": [],
          "sha256hex": "67fc9bde97641361d3b521a01f8b907269a4d6434f2db10e163a71b70178b3d1",
          "modified": 1676985886,
          "uid": 0,
          "changed": 1676985886,
          "sha1hex": "e3bc8f9c241f86e7138ba6cfb0e0e206b131a7e3",
          "isAppBundle": false,
          "isScreenShot": false,
          "path": "\\/var\\/root\\/Library\\/Preferences\\/com.apple.loginwindow.plist",
          "size": 42,
          "gid": 0,
          "inode": 62898,
          "mode": 33152,
          "isDownload": false,
          "created": 1676985886,
          "accessed": 1676985886,
          "fsid": 16777220,
          "signingInfo": {
            "status": -67062,
            "authorities": [],
            "teamid": "",
            "signerType": 4,
            "statusMessage": "code object is not signed at all",
            "entitlements": [],
            "appid": ""
          },
          "isDirectory": false
        }
      ],
      "binaries": [
        {
          "xattrs": [],
          "sha256hex": "9a282c0623110b57953bb74238f02704f729eb9779381eef851b2ebe7626f890",
          "modified": 1675935593,
          "uid": 0,
          "changed": 1675935593,
          "sha1hex": "454634df6b7cd32a4dcca9d346eb3efb34dc780d",
          "isAppBundle": false,
          "isScreenShot": false,
          "path": "\\/usr\\/sbin\\/cfprefsd",
          "size": 200608,
          "gid": 0,
          "inode": 1152921500312430765,
          "mode": 33261,
          "isDownload": false,
          "created": 1675935593,
          "accessed": 1675935593,
          "fsid": 16777220,
          "signingInfo": {
            "status": 0,
            "cdhash": "SXboWMc7MOtMM0K3pOxRjqR59w0=",
            "authorities": [
              "Software Signing",
              "Apple Code Signing Certification Authority",
              "Apple Root CA"
            ],
            "teamid": "",
            "signerType": 0,
            "statusMessage": "No error.",
            "entitlements": [],
            "appid": "com.dummy.domain"
          },
          "isDirectory": false
        }
      ],
      "groups": [
        {
          "gid": 0,
          "name": "wheel",
          "uuid": "FVFZQ5FDLYWG0"
        }
      ],
      "processes": [
        {
          "originalParentPID": 1,
          "uuid": "06D1425D-082A-4E11-81E4-75A9E3F2B8EF",
          "ruid": 0,
          "uid": 0,
          "startTimestamp": 1676976036,
          "ppid": 1,
          "path": "\\/usr\\/sbin\\/cfprefsd",
          "gid": 0,
          "rgid": 0,
          "args": [
            "\\/usr\\/sbin\\/cfprefsd",
            "daemon"
          ],
          "signingInfo": {
            "status": 0,
            "cdhash": "SXboWMc7MOtMM0K3pOxRjqR59w0=",
            "authorities": [
              "Software Signing",
              "Apple Code Signing Certification Authority",
              "Apple Root CA"
            ],
            "teamid": "",
            "signerType": 0,
            "statusMessage": "No error.",
            "entitlements": [],
            "appid": "com.dummy.domain"
          },
          "pid": 148,
          "name": "dummyhostname",
          "pgid": 148
        }
      ]
    }
  },
  "caid": "a2afe04d1360c01a0758ad3319c9af305f794801917b0c04648e4d7a9d7d746b",
  "certid": "05f5b0fa822a2f5e9a29f018853e8f2d99b94c8af38f40268a9479f2e6038e6b"
}

欄位對應參考資料

本節說明 Google Security Operations 剖析器如何將 Jamf Protect 欄位對應至 Google Security Operations Unified Data Model (UDM) 欄位。

欄位對應參照：事件 ID 對應至事件類型

下表列出 JAMF_PROTECT 記錄類型及其對應的 UDM 事件類型。

Event Identifier	Event Type
`GPClickEvent`	`SCAN_UNCATEGORIZED`
`GPDownloadEvent`	`SCAN_FILE`
`GPFSEvent`	`SCAN_FILE`
`GPGatekeeperEvent`	`SCAN_UNCATEGORIZED`
`GPKeylogRegisterEvent`	`SCAN_UNCATEGORIZED`
`GPMRTEvent`	`SCAN_UNCATEGORIZED`
`GPPreventedExecutionEvent`	`SCAN_UNCATEGORIZED`
`GPProcessEvent`	`SCAN_PROCESS`
`GPThreatMatchExecEvent`	`SCAN_UNCATEGORIZED`
`GPUSBEvent`	`SCAN_UNCATEGORIZED`
`GPUnifiedLogEvent`	`SCAN_UNCATEGORIZED`
`GPScreenshotEvent`	`SCAN_UNCATEGORIZED`
`Auth-mount`	`SCAN_UNCATEGORIZED`

欄位對應參考資料：JAMF_PROTECT

下表列出 JAMF_PROTECT 記錄類型的記錄欄位，以及對應的 UDM 欄位。

Log field	UDM mapping	Logic
	`about.platform`	The `about.platform` UDM field is set to `MAC`.
`caid`	`about.labels[caid]` (deprecated)
`caid`	`additional.fields[caid]`
`certid`	`principal.asset.attribute.labels [certid]`
`context.identity.claims.certid`	`principal.user.attribute.permissions.description`
`context.identity.claims.clientid`	`principal.user.attribute.labels [context_identity_claims_clientid]`
`input.eventType`	`metadata.product_event_type`
`input.host.hostname`	`principal.hostname`
`input.host.ips`	`principal.ip`
`input.host.os`	`principal.platform_version`
`input.host.protectVersion`	`principal.asset.attribute.labels [input_host_protectversion]`
`input.match.version`	`additional.fields [input_match_version]`
`input.match.facts.matchReason`	`security_result.detection_fields [input_match_facts_matchreason]`
`input.related.files.objectType`	`additional.fields [input_related_files_objecttype]`
`input.host.provisioningUDID`	`principal.asset.product_object_id`
`input.host.serial`	`principal.asset.hardware.serial_number`
`input.match.actions.name`	`security_result.outcomes [input_match_actions_name]`
`input.match.actions.parameters.message`	`security_result.summary`	If the `index` value is equal to `0`, then the `input.match.actions.parameters.message` log field is mapped to the `security_result.summary` UDM field. Else, the `input.match.actions.parameters.message` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.actions.parameters.title`	`security_result.description`	If the `index` value is equal to `0`, then the `input.match.actions.parameters.title` log field is mapped to the `security_result.description` UDM field. Else, the `input.match.actions.parameters.title` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.context.name`	`security_result.detection_fields.key`
`input.match.context.value`	`security_result.detection_fields.value [Name]`
`input.match.context.valueType`
`input.match.custom`	`security_result.detection_fields [input_match_custom]`
`input.match.event.blocked`	`security_result.action`	If the `input.match.event.blocked` log field value is not empty, then the `security_result.action` UDM field is set to `BLOCK`.
`context.identity.claims.hd, input.match.uuid`	`security_result.url_back_to_product`	The `security_result.url_back_to_product` UDM field is set to `https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid`.
`input.match.event.category`	`security_result.category_details`
`input.match.event.clickType`	`principal.labels[input_match_event_click_type]` (deprecated)	If the `input.match.event.clickType` log field value is equal to `0`, then the `principal.labels.value` UDM field is set to `0 - Other`. Else, if the `input.match.event.clickType` log field value is equal to `1`, then the `principal.labels.value` UDM field is set to `1 - Left Down`. Else, if the `input.match.event.clickType` log field value is equal to `2`, then the `principal.labels.value` UDM field is set to `2 - Left Up`. Else, if the `input.match.event.clickType` log field value is equal to `3`, then the `principal.labels.value` UDM field is set to `3 - Right Down`. Else, if the `input.match.event.clickType` log field value is equal to `4`, then the `principal.labels.value` UDM field is set to `4 - Right Up`.
`input.match.event.clickType`	`additional.fields[input_match_event_click_type]`	If the `input.match.event.clickType` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - Other`. Else, if the `input.match.event.clickType` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Left Down`. Else, if the `input.match.event.clickType` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `2 - Left Up`. Else, if the `input.match.event.clickType` log field value is equal to `3`, then the `additional.fields.value.string_value` UDM field is set to `3 - Right Down`. Else, if the `input.match.event.clickType` log field value is equal to `4`, then the `additional.fields.value.string_value` UDM field is set to `4 - Right Up`.
`input.match.event.composedMessage`	`principal.labels[input_match_event_composed_message]` (deprecated)
`input.match.event.composedMessage`	`additional.fields[input_match_event_composed_message]`
`input.match.event.dev`	`principal.labels[input_match_event_dev]` (deprecated)
`input.match.event.dev`	`additional.fields[input_match_event_dev]`
`input.match.event.eventID`	`principal.labels[input_match_event_eventID]` (deprecated)
`input.match.event.eventID`	`additional.fields[input_match_event_eventID]`
`input.match.event.gid`	`principal.user.group_identifiers`
`input.match.event.iNode`	`target.file.stat_inode`
`input.match.event.matchType`	`principal.labels[input_match_event_match_type]` (deprecated)
`input.match.event.matchType`	`additional.fields[input_match_event_match_type]`
`input.match.event.matchValue`	`security_result.threat_name`	If the `input.match.event.matchType` log field value is not empty, then the `input.match.event.matchValue` log field is mapped to the `security_result.threat_name` UDM field.
`input.match.event.name`	`about.labels[input_match_event_name]` (deprecated)
`input.match.event.name`	`additional.fields[input_match_event_name]`
`input.match.facts.name`	`metadata.description`	If the `index` value is equal to `0`, then the `input.match.facts.name` log field is mapped to the `metadata.description` UDM field.
`input.match.event.path`	`target.process.file.full_path`
`input.match.event.pid`	`principal.process.pid`
`input.match.event.prevFile`	`src.file.full_path`	If the `input.match.event.prevFile` log field value is not empty, then the `input.match.event.prevFile` log field is mapped to the `src.file.full_path` UDM field.
`input.match.event.process`	`principal.process.file.names`
`input.match.event.process.args`	`target.process.command_line_history`
`input.match.event.process.gid`	`target.group.product_object_id`
`input.match.event.process.name`	`target.process.file.names`
`input.match.event.process.originalParentPID`	`target.process.parent_process.pid`
`input.match.event.process.path`	`target.process.file.full_path`
`input.match.event.process.pgid`	`target.labels[input_match_event_processes_pgid]` (deprecated)
`input.match.event.process.pgid`	`additional.fields[input_match_event_processes_pgid]`
`input.match.event.process.pid`	`target.process.pid`
`input.match.event.process.ppid`	`target.labels[input_match_event_process_ppid]` (deprecated)
`input.match.event.process.ppid`	`additional.fields[input_match_event_process_ppid]`
`input.match.event.process.responsiblePID`	`target.labels[input_match_event_process_responsible_pid]` (deprecated)
`input.match.event.process.responsiblePID`	`additional.fields[input_match_event_process_responsible_pid]`
`input.match.event.process.rgid`	`target.labels[input_match_event_process_rgid]` (deprecated)
`input.match.event.process.rgid`	`additional.fields[input_match_event_process_rgid]`
`input.match.event.process.ruid`	`target.labels[input_match_event_process_ruid]` (deprecated)
`input.match.event.process.ruid`	`additional.fields[input_match_event_process_ruid]`
`input.match.event.process.signingInfo.appid`	`target.user.attribute.labels [input_match_event_process_sign_appid]`
`input.match.event.process.signingInfo.authorities`	`target.user.attribute.permissions`
`input.match.event.process.signingInfo.cdhash`	`target.user.attribute.labels [input_match_event_process_sign_cdhash]`
`input.match.event.process.signingInfo.entitlements`	`target.user.attributes.permissions`
`input.match.event.process.signingInfo.signerType`	`target.user.attribute.labels [input_match_event_process_sign_signer_type]`	If the `input.related.process.signingInfo.signerType` log field value is equal to `0`, then the `target.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `1`, then the `target.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `2`, then the `target.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `3`, then the `target.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `4`, then the `target.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.match.event.process.signingInfo.status`	`target.user.attribute.labels [input_match_event_process_sign_status]`
`input.match.event.process.signingInfo.statusMessage`	`target.labels[input_match_event_process_sign_status_message]` (deprecated)
`input.match.event.process.signingInfo.statusMessage`	`additional.fields[input_match_event_process_sign_status_message]`
`input.match.event.process.signingInfo.teamid`	`target.user.group_identifiers`
`input.match.event.process.startTimestamp`	`target.labels[input_match_event_process_start_time_stamp]` (deprecated)
`input.match.event.process.startTimestamp`	`additional.fields[input_match_event_process_start_time_stamp]`
`input.match.event.process.uid`	`target.labels[input_match_event_process_uid]` (deprecated)
`input.match.event.process.uid`	`additional.fields[input_match_event_process_uid]`
`input.match.event.process.uuid`	`target.process.product_specific_process_id`	The `Process Uuid: input.match.event.process.uuid` log field is mapped to the `target.process.product_specific_process_id` UDM field.
`input.match.event.processIdentifier`	`target.process.pid`
`input.match.event.processImagePath`	`target.process.file.full_path`
`input.match.event.rateLimitingSecs`	`principal.labels[input_match_event_rate_limiting_secs]` (deprecated)
`input.match.event.rateLimitingSecs`	`additional.fields[input_match_event_rate_limiting_secs]`
`input.match.event.scriptPath`	`principal.labels[input_match_event_script_path]` (deprecated)
`input.match.event.scriptPath`	`additional.fields[input_match_event_script_path]`
`input.match.event.sender`	`principal.labels[input_match_event_sender]` (deprecated)
`input.match.event.sender`	`additional.fields[input_match_event_sender]`
`input.match.event.senderImagePath`	`principal.labels[input_match_event_sender_image_path]` (deprecated)
`input.match.event.senderImagePath`	`additional.fields[input_match_event_sender_image_path]`
`input.match.event.subsystem`	`principal.labels[input_match_event_subsystem]` (deprecated)
`input.match.event.subsystem`	`additional.fields[input_match_event_subsystem]`
`input.match.event.subType`	`principal.labels[input_match_event_sub_type]` (deprecated)	If the `input.match.event.subType` log field value is equal to `7`, then the `principal.labels.value` UDM field is set to `7 - Exec`. Else, if the `input.match.event.subType` log field value is equal to `2`, then the `principal.labels.value` UDM field is set to `2 - Fork`. Else, if the `input.match.event.subType` log field value is equal to `1`, then the `principal.labels.value` UDM field is set to `1 - Exit`. Else, if the `input.match.event.subType` log field value is equal to `23`, then the `principal.labels.value` UDM field is set to `23 - Execve`. Else, if the `input.match.event.subType` log field value is equal to `43190`, then the `principal.labels.value` UDM field is set to `43190 - Posix Spawn`.
`input.match.event.subType`	`additional.fields[input_match_event_sub_type]`	If the `input.match.event.subType` log field value is equal to `7`, then the `additional.fields.value.string_value` UDM field is set to `7 - Exec`. Else, if the `input.match.event.subType` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `2 - Fork`. Else, if the `input.match.event.subType` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Exit`. Else, if the `input.match.event.subType` log field value is equal to `23`, then the `additional.fields.value.string_value` UDM field is set to `23 - Execve`. Else, if the `input.match.event.subType` log field value is equal to `43190`, then the `additional.fields.value.string_value` UDM field is set to `43190 - Posix Spawn`.
`input.match.event.tags`	`security_result.rule_labels [input_match_event_tags]`
`input.match.event.targetpid`	`target.process.pid`
`input.match.event.timestamp`	`metadata.event_timestamp`
`input.match.event.type`	`target.labels[input_match_event_type]` (deprecated)	If the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `0`, then the `target.labels.value` UDM field is set to `0 - Created`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `1`, then the `target.labels.value` UDM field is set to `1 - Deleted`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `3`, then the `target.labels.value` UDM field is set to `3 - Renamed`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `4`, then the `target.labels.value` UDM field is set to `4 - Modified`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `7`, then the `target.labels.value` UDM field is set to `7 - Created Dir`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `0`, then the `target.labels.value` UDM field is set to `0 - None`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `1`, then the `target.labels.value` UDM field is set to `1 - Create`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `2`, then the `target.labels.value` UDM field is set to `0 - Exit`.
`input.match.event.type`	`additional.fields[input_match_event_type]`	If the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - Created`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Deleted`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `3`, then the `additional.fields.value.string_value` UDM field is set to `3 - Renamed`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `4`, then the `additional.fields.value.string_value` UDM field is set to `4 - Modified`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `7`, then the `additional.fields.value.string_value` UDM field is set to `7 - Created Dir`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - None`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Create`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `0 - Exit`.
`input.match.event.uid`	`principal.user.userid`
`input.match.event.uuid`	`about.labels[input_match_event_uuid]` (deprecated)
`input.match.event.uuid`	`additional.fields[input_match_event_uuid]`
`input.match.facts.actions.name`	`security_result.action_details`	If the `index` value is equal to `0`, then the `input.match.facts.actions.name` log field is mapped to the `security_result.action_details` UDM field. Else, the `input.match.facts.actions.name` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.match.facts.actions.parameters.id`	`security_result.detection_fields [input_match_facts_actions_parameters_id]`
`input.match.facts.actions.parameters.message`	`security_result.detection_fields [input_match_facts_actions_parameters_message]`
`input.match.facts.actions.parameters.title`	`security_result.detection_fields [input_match_facts_actions_parameters_title]`
`input.match.facts.context.name`	`security_result.detection_fields.key`
`input.match.facts.context.value`	`security_result.detection_fields.value [Name]`
`input.match.facts.context.valueType`
`input.match.facts.human`	`security_result.action`	If the `input.match.facts.human` log field value is matched with regex `(?i)blocked`, then the `security_result.action` UDM field is set to `BLOCK`.
`input.match.facts.human`	`security_result.description`	If the `index` value is equal to `0`, then the `input.match.facts.human` log field is mapped to the `security_result.description` UDM field. Else, the `input.match.facts.human` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.facts.name`	`security_result.summary`	If the `index` value is equal to `0`, then the `input.match.facts.name` log field is mapped to the `security_result.summary` UDM field. Else, the `input.match.facts.name` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.facts.severity`	`security_result.detection_fields [input_match_facts_severity]`
`input.match.facts.tags`	`security_result.rule_labels [input_match_facts_tags]`
`input.match.facts.uuid`	`about.labels [input_match_facts_uuid]`
`input.match.facts.version`	`about.labels [input_match_facts_version]`
`input.match.severity`	`security_result.severity`	If the `severity` log field value is equal to `0`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, if the `severity` log field value is equal to `1`, then the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value is equal to `2`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value is equal to `3`, then the `security_result.severity` UDM field is set to `HIGH`.
`input.match.tags`	`security_result.rule_labels [input_match_tags]`
`input.match.uuid`	`metadata.product_log_id`
`input.related.binaries.accessed`	`security_result.about.labels [input_related_binaries_accessed]`
`input.related.binaries.changed`	`security_result.about.labels [input_related_binaries_changed]`
`input.related.binaries.created`	`security_result.about.file.first_seen_time`	If the `index` value is equal to `0`, then the `input.related.binaries.created` log field is mapped to the `security_result.about.file.first_seen_time` UDM field. Else, the `input.related.binaries.created` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.fsid`	`security_result.about.labels [input_related_binaries_fsid]`
`input.related.binaries.gid`	`security_result.about.labels [input_related_binaries_gid]`
`input.related.binaries.inode`	`security_result.about.file.stat_inode`	If the `index` value is equal to `0`, then the `input.related.binaries.inode` log field is mapped to the `security_result.about.file.stat_inode` UDM field. Else, the `input.related.binaries.inode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.isAppBundle`	`security_result.about.labels [isAppBundle]`
`input.related.binaries.isDirectory`	`security_result.about.labels [isDirectory]`
`input.related.binaries.isDownload`	`security_result.about.labels [isDownload]`
`input.related.binaries.isScreenShot`	`security_result.about.labels [isScreenShot]`
`input.related.binaries.mode`	`security_result.about.file.stat_mode`	If the `index` value is equal to `0`, then the `input.related.binaries.mode` log field is mapped to the `security_result.about.file.stat_mode` UDM field. Else, the `input.related.binaries.mode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.modified`	`security_result.about.file.last_modification_time`	If the `index` value is equal to `0`, then the `input.related.binaries.modified` log field is mapped to the `security_result.about.file.last_modification_time` UDM field. Else, the `input.related.binaries.modified` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.path`	`security_result.about.file.full_path`	If the `index` value is equal to `0`, then the `input.related.binaries.path` log field is mapped to the `security_result.about.file.full_path` UDM field. Else, the `input.related.binaries.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.sha1hex`	`security_result.about.file.sha1`	If the `index` value is equal to `0`, then the `input.related.binaries.sha1hex` log field is mapped to the `security_result.about.file.sha1` UDM field. Else, the `input.related.binaries.sha1hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.sha256hex`	`security_result.about.file.sha256`	If the `index` value is equal to `0`, then the `input.related.binaries.sha256hex` log field is mapped to the `security_result.about.file.sha256` UDM field. Else, the `input.related.binaries.sha256hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.binaries.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.binaries.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.signingInfo.authorities`	`security_result.about.user.attribute.permissions`
`input.related.binaries.signingInfo.cdhash`	`security_result.about.labels [input_related_binaries_sign_cdhash]`
`input.related.binaries.signingInfo.entitlements`	`security_result.about.user.attribute.permisisons`
`input.related.binaries.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type]`	If the `input.related.binaries.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.binaries.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_binaries_sign_status]`
`input.related.binaries.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_processes_sign_status_message]`
`input.related.binaries.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.binaries.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.binaries.signingInfo.teamid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.binaries.size`	`security_result.about.file.size`	If the `index` value is equal to `0`, then the `input.related.binaries.size` log field is mapped to the `security_result.about.file.size` UDM field. Else, the `input.related.binaries.size` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.binaries.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.binaries.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.binaries.xattrs`	`security_result.about.user.attribute.labels [input_related_binaries_xattrs]`
`input.related.files.accessed`	`security_result.about.labels [input_related_files_accessed]`
`input.related.files.changed`	`security_result.about.labels [input_related_files_changed]`
`input.related.files.created`	`security_result.about.labels [input_related_files_created]`
`input.related.files.downloadedFrom`	`security_result.about.labels [input_related_files_downloaded_from]`
`input.related.files.fsid`	`security_result.about.labels [input_related_files_downloaded_fsid]`
`input.related.files.gid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.files.gid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.files.gid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.inode`	`security_result.about.file.stat_inode`	If the `index` value is equal to `0`, then the `input.related.files.inode` log field is mapped to the `security_result.about.file.stat_inode` UDM field. Else, the `input.related.files.inode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.isAppBundle`	`security_result.about.labels [input_related_files_downloaded_is_app_bundle]`
`input.related.files.isDirectory`	`security_result.about.labels [input_related_files_is_directory]`
`input.related.files.isDownload`	`security_result.about.labels [input_related_files_is_download]`
`input.related.files.isScreenShot`	`security_result.about.labels [input_related_files_is_screenshot]`
`input.related.files.mode`	`security_result.about.file.stat_mode`	If the `index` value is equal to `0`, then the `input.related.files.mode` log field is mapped to the `security_result.about.file.stat_mode` UDM field. Else, the `input.related.files.mode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.modified`	`security_result.about.file.last_modification_time`	If the `index` value is equal to `0`, then the `input.related.files.modified` log field is mapped to the `security_result.about.file.last_modification_time` UDM field. Else, the `input.related.files.modified` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.path`	`security_result.about.file.full_path`	If the `index` value is equal to `0`, then the `input.related.files.path` log field is mapped to the `security_result.about.file.full_path` UDM field. Else, the `input.related.files.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.sha1hex`	`security_result.about.file.sha1`	If the `index` value is equal to `0`, then the `input.related.files.sha1hex` log field is mapped to the `security_result.about.file.sha1` UDM field. Else, the `input.related.files.sha1hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.sha256hex`	`security_result.about.file.sha256`	If the `index` value is equal to `0`, then the `input.related.files.sha256hex` log field is mapped to the `security_result.about.file.sha256` UDM field. Else, the `input.related.files.sha256hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.files.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.files.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.signingInfo.authorities`	`security_result.about.user.attribute.permissions`
`input.related.files.signingInfo.cdhash`	`security_result.about.labels [[input_related_files_sign_cdhash]`
`input.related.files.signingInfo.entitlements`	`security_result.about.user.attribute.permissions`
`input.related.files.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type]`	If the `input.related.files.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.files.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_files_signing_info_status]`
`input.related.files.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_files_signing_info_status_message]`
`input.related.files.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.files.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.files.signingInfo.teamid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.files.size`	`security_result.about.file.size`	If the `index` value is equal to `0`, then if the `input.related.files.size` log field value is not equal to `0`, then the `input.related.files.size` log field is mapped to the `security_result.about.file.size` UDM field. Else, the `input.related.files.size` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.files.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.files.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.files.xattrs`	`security_result.about.labels [input_related_files_xattrs]`
`input.related.groups.gid`	`security_result.about.group.attribute.labels [input_related_groups_gid]`
`input.related.groups.name`	`security_result.about.group.group_display_name`	If the `index` value is equal to `0`, then the `input.related.groups.name` log field is mapped to the `security_result.about.group.group_display_name` UDM field. Else, the `input.related.groups.name` log field is mapped to the `security_result.about.group.attribute.labels.value` UDM field.
`input.related.groups.uuid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.groups.uuid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.groups.uuid` log field is mapped to the `security_result.about.group.attribute.labels.value` UDM field.
`input.related.processes.appPath`	`security_result.about.labels [input_related_processes_app_path]`
`input.related.processes.args`	`security_result.about.process.command_line_history`
`input.related.processes.exitCode`	`security_result.about.labels [input_related_processes_exit_code]`
`input.related.processes.gid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.processes.gid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.processes.gid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.name`	`security_result.about.process.file.names`
`input.related.processes.originalParentPID`	`security_result.about.process.parent_process.pid`	If the `index` value is equal to `0`, then the `input.related.processes.originalParentPID` log field is mapped to the `security_result.about.process.parent_process.pid` UDM field. Else, the `input.related.processes.originalParentPID` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.path`	`security_result.about.process.file.full_path`	If the `index` value is equal to `0`, then the `input.related.processes.path` log field is mapped to the `security_result.about.process.file.full_path` UDM field. Else, the `input.related.processes.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.pgid`	`security_result.about.labels [input_related_process_pgid]`
`input.related.processes.pid`	`security_result.about.process.pid`	If the `index` value is equal to `0`, then the `input.related.processes.pid` log field is mapped to the `security_result.about.process.pid` UDM field. Else, the `input.related.processes.pid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.ppid`	`security_result.about.labels [input_related_processes_ppid]`
`input.related.processes.responsiblePID`	`security_result.about.labels [input_related_processes_responsible_pid]`
`input.related.processes.rgid`	`security_result.about.labels [input_related_processes_rgid]`
`input.related.processes.ruid`	`security_result.about.labels [input_related_processes_ruid]`
`input.related.processes.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.processes.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.processes.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.signingInfo.authorities`	`security_result.about.user.attributes.permission`
`input.related.processes.signingInfo.cdhash`	`security_result.about.user.attribute.labels [input_related_processes_sign_cdhash]`
`input.related.processes.signingInfo.entitlements`	`security_result.about.user.attributes.permission`
`input.related.processes.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_processes_sign_signer_type]`	If the `input.related.processes.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.processes .signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.processes.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_processes_sign_status]`
`input.related.processes.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_processes_sign_status_message]`
`input.related.processes.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.processes.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.processes.signingInfo.teamid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.startTimestamp`	`security_result.about.labels [input_related_processes_start_time_stamp]`
`input.related.processes.tty`	`security_result.about.labels [input_related_processes_tty]`
`input.related.processes.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.processes.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.processes.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.processes.uuid`	`security_result.about.process.product_specific_process_id`	If the `index` value is equal to `0`, then the `Process Uuid: input.related.processes.uuid` log field is mapped to the `security_result.about.process.product_specific_process_id` UDM field. Else, the `input.related.processes.uuid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.users.name`	`security_result.about.user.user_display_name`	If the `index` value is equal to `0`, then the `input.related.users.name` log field is mapped to the `security_result.about.user.user_display_name` UDM field. Else, the `input.related.users.name` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.users.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.users.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.users.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.users.uuid`	`security_result.about.user.product_object_id`	If the `index` value is equal to `0`, then the `input.related.users.uuid` log field is mapped to the `security_result.about.user.product_object_id` UDM field. Else, the `input.related.users.uuid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`key`	`about.labels[key]` (deprecated)
`key`	`additional.fields[key]`
`path`	`target.file.full_path`	If the `index` value is equal to `0`, then the `path` log field is mapped to the `target.file.full_path` UDM field. Else, the `path` log field is mapped to the `target.labels.value` UDM field.
`queue`	`principal.labels[queue]` (deprecated)
`queue`	`additional.fields[queue]`
`region`	`principal.location.name`
`timestamp`	`metadata.creation_timestamp`
`topic`	`about.labels[topic]` (deprecated)
`topic`	`additional.fields[topic]`
`topicType`	`about.labels[topicType]` (deprecated)
`topicType`	`additional.fields[topicType]`
`version`	`metadata.product_version`
	`is_alert`	The `is_alert` UDM field is set to `TRUE`.
	`is_significant`	The `is_significant` UDM field is set to `TRUE`.
`input.eventType`	`metadata.event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `JAMF_PROTECT`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `JAMF`.
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `STORAGE_BUCKET`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `STORAGE_BUCKET`.
`input.match.event.options`	`about.labels[input_match_event_options]` (deprecated)
`input.match.event.options`	`additional.fields[input_match_event_options]`
`input.match.event.sourcePID`	`principal.process.pid`
`input.match.event.destinationPID`	`target.process.pid`
`image.match.event.detection`	`security_result.detection_fields [image_match_event_detection]`
`input.match.type`	`target.asset.attribute.labels [input_match_type]`	If the `input.match.type` log field value is equal to `0`, then the `target.asset.attribute.labels.value` UDM field is set to `0 - Device Inserted`. Else, if the `input.match.type` log field value is equal to `1`, then the `target.asset.attribute.labels.value` UDM field is set to `1 - Device Removed`.
`input.match.usbAddress`	`target.asset.attribute.labels [input_match_usb_address]`
`input.match.event.device.mediaPath`	`target.asset.attribute.labels [input_match_device_media_path]`
`input.match.event.device.protocol`	`target.asset.attribute.labels [input_match_device_protocol]`
`input.match.event.device.deviceModel`	`target.asset.hardware.model`
`input.match.event.device.isRemovable`	`target.asset.attribute.labels [input_match_device_is_removable]`
`input.match.event.device.mediaName`	`target.asset.attribute.labels [input_match_device_media_name]`
`input.match.event.device.bsdMinor`	`target.asset.attribute.labels [input_match_device_bsd_minor]`
`input.match.event.device.vendorName`	`target.asset.software.vendor_name`
`input.match.event.device.isWhole`	`target.asset.attribute.labels [input_match_device_is_whole]`
`input.match.event.device.unit`	`target.asset.attribute.labels [input_match_device_unit]`
`input.match.event.device.deviceSubclass`	`target.asset.attribute.labels [input_match_device_subclass]`
`input.match.event.device.serialNumber`	`target.asset.hardware.serial`
`input.match.event.device.bsdUnit`	`target.asset.attribute.labels [input_match_device_bsd_unit]`
`input.match.event.device.busPath`	`target.asset.attribute.labels [input_match_device_bus_path]`
`input.match.event.device.isLeaf`	`target.asset.attribute.labels [input_match_device_is_leaf]`
`input.match.event.device.isInternal`	`target.asset.attribute.labels [input_match_device_is_internal]`
`input.match.event.device.busName`	`target.asset.attribute.labels [input_match_device_bus_name]`
`input.match.event.device.bsdMajor`	`target.asset.attribute.labels [input_match_device_bsd_major]`
`input.match.event.device.isEjectable`	`target.asset.attribute.labels [input_match_device_is_ejectable]`
`input.match.event.device.isEncrypted`	`target.asset.attribute.labels [input_match_device_is_encrypted]`
`input.match.event.device.isEncryptable`	`target.asset.attribute.labels [input_match_device_is_encryptable]`
`input.match.event.device.devicePath`	`target.asset.attribute.labels [input_match_device_path]`
`input.match.event.device.bsdName`	`target.asset.attribute.labels [input_match_device_bsd_name]`
`input.match.event.device.vendorId`	`target.asset.attribute.labels [input_match_device_vendor_id]`
`input.match.event.device.content`	`target.asset.attribute.labels [input_match_device_content]`
`input.match.event.device.revision`	`target.asset.attribute.labels [input_match_device_revision]`
`input.match.event.device.size`	`target.asset.attribute.labels [input_match_device_size]`
`input.match.event.device.isNetworkVolume`	`target.asset.attribute.labels [input_match_device_is_network_volume]`
`input.match.event.device.blocksize`	`target.asset.attribute.labels [input_match_device_block_size]`
`input.match.event.device.productName`	`target.asset.attribute.labels [input_match_device_product_name]`
`input.match.event.device.mediaKind`	`target.asset.attribute.labels [input_match_device_media_kind]`
`input.match.event.device.isWritable`	`target.asset.attribute.labels [input_match_device_is_writable]`
`input.match.event.device.productId`	`target.asset.product_object_id`
`input.match.event.device.productId`	`target.asset.asset_id`	The `Asset Id: input.match.event.device.productId` log field is mapped to the `target.asset.asset_id` UDM field.
`input.match.event.device.deviceClass`	`target.asset.category`
`input.match.event.device.encryptionDetail`	`target.asset.attribute.labels [input_match_device_encryption_detail]`
`input.match.event.device.volumeKind`	`target.asset.attribute.labels [input_match_event_device_volume_kind]`
`input.match.event.device.volumeName`	`target.asset.attribute.labels [input_match_event_device_volume_name]`
`input.match.event.device.volumeType`	`target.asset.attribute.labels [input_match_event_device_volume_type]`
`input.match.event.device.isMountable`	`target.asset.attribute.labels [input_match_event_device_is_mountable]`
`input.match.event.device.encryptionDetail`	`target.asset.attribute.labels [input_match_event_device_encryption_detail]`
`input.match.event.fsid`	`principal.labels [input_match_event_fsid]`
`input.match.event.bfree`	`principal.labels[input_match_event_bfree]` (deprecated)
`input.match.event.bfree`	`additional.fields[input_match_event_bfree]`
`input.match.event.bsize`	`principal.labels[input_match_event_bsize]` (deprecated)
`input.match.event.bsize`	`additional.fields[input_match_event_bsize]`
`input.match.event.ffree`	`principal.labels[input_match_event_ffree]` (deprecated)
`input.match.event.ffree`	`additional.fields[input_match_event_ffree]`
`input.match.event.files`	`principal.labels[input_match_event_files]` (deprecated)
`input.match.event.files`	`additional.fields[input_match_event_files]`
`input.match.event.flags`	`principal.labels[input_match_event_flags]` (deprecated)
`input.match.event.flags`	`additional.fields[input_match_event_flags]`
`input.match.event.owner`	`principal.user.user_display_name`
`input.match.event.bavail`	`principal.labels[input_match_event_bvail]` (deprecated)
`input.match.event.bavail`	`additional.fields[input_match_event_bvail]`
`input.match.event.blocks`	`principal.labels[input_match_event_blocks]` (deprecated)
`input.match.event.blocks`	`additional.fields[input_match_event_blocks]`
`input.match.event.iosize`	`principal.labels[input_match_event_iosize]` (deprecated)
`input.match.event.iosize`	`additional.fields[input_match_event_iosize]`
`input.match.event.version`	`principal.labels[input_match_event_version]` (deprecated)
`input.match.event.version`	`additional.fields[input_match_event_version]`
`input.match.event.deadline`	`principal.labels[input_match_event_deadline]` (deprecated)
`input.match.event.deadline`	`additional.fields[input_match_event_deadline]`
`input.match.event.flagsExt`	`principal.labels[input_match_event_flags_ext]` (deprecated)
`input.match.event.flagsExt`	`additional.fields[input_match_event_flags_ext]`
`input.match.event.fsSubType`	`principal.labels[input_match_event_fs_subtype]` (deprecated)
`input.match.event.fsSubType`	`additional.fields[input_match_event_fs_subtype]`
`input.match.event.mntOnName`	`principal.labels[input_match_event_mnt_on_name]` (deprecated)
`input.match.event.mntOnName`	`additional.fields[input_match_event_mnt_on_name]`
`input.match.event.fsTypeName`	`principal.labels[input_match_event_fs_type_name]` (deprecated)
`input.match.event.fsTypeName`	`additional.fields[input_match_event_fs_type_name]`
`input.match.event.isReadOnly`	`principal.labels[input_match_event_is_read_only]` (deprecated)
`input.match.event.isReadOnly`	`additional.fields[input_match_event_is_read_only]`
`input.match.event.mntFromName`	`principal.labels[input_match_event_mnt_from_name]` (deprecated)
`input.match.event.mntFromName`	`additional.fields[input_match_event_mnt_from_name]`
`input.match.event.machTimestamp`	`principal.labels[input_match_event_mach_timestamp]` (deprecated)
`input.match.event.machTimestamp`	`additional.fields[input_match_event_mach_timestamp]`
`input.match.event.sequenceNumber`	`principal.labels[input_match_event_seq_number]` (deprecated)
`input.match.event.sequenceNumber`	`additional.fields[input_match_event_seq_number]`
`input.match.event.globalSequenceNumber`	`principal.labels[input_match_event_global_seq_number]` (deprecated)
`input.match.event.globalSequenceNumber`	`additional.fields[input_match_event_global_seq_number]`

後續步驟

將資料擷取至 Google Security Operations

還有其他問題嗎？向社群成員和 Google SecOps 專業人員尋求答案。