Esta página foi traduzida pela API Cloud Translation.

Coletar registros da Telemetria V2 do Jamf Protect

Compatível com:

Google SecOps SIEM

Neste documento, descrevemos como coletar registros de telemetria V2 do Jamf Protect configurando um feed do Google Security Operations. Ele detalha o mapeamento dos campos de registro da Telemetria V2 do Jamf Protect para os campos do Modelo Unificado de Dados (UDM) no Google SecOps e lista a versão compatível da Telemetria V2 do Jamf Protect.

Para mais informações, consulte Ingestão de dados no Google SecOps.

Uma implantação típica consiste na telemetria V2 do Jamf Protect e no feed do Google SecOps configurado para enviar registros ao Google SecOps. Cada implantação de cliente pode ser diferente e mais complexa.

A implantação contém os seguintes componentes:

Telemetria do Jamf Protect V2. A plataforma Jamf Protect Telemetry V2 de onde você coleta registros.
Feed do Google SecOps. O feed do Google SecOps que busca registros da telemetria do Jamf Protect e grava registros no Google SecOps.
Google SecOps. O Google SecOps retém e analisa os registros da telemetria V2 do Jamf Protect.

Cada registro é normalizado para o modelo de dados unificado (UDM) usando um analisador específico. As informações neste documento se aplicam ao analisador associado ao rótulo de ingestão JAMF_TELEMETRY_V2.

Antes de começar

Verifique se você configurou a versão mais recente do Jamf Protect Telemetry V2 (em inglês).
Verifique se você está usando a versão 6.3.2 ou mais recente do Jamf Protect.
Confira se todos os sistemas na arquitetura de implantação estão configurados com o fuso horário UTC.

Configurar um feed no Google SecOps para ingerir registros da telemetria V2 do Jamf Protect

É possível usar o Amazon S3 ou um webhook para configurar um feed de ingestão no Google SecOps, mas recomendamos usar o Amazon S3.

Configurar um feed de ingestão no Google SecOps usando o Amazon S3

Acesse Configurações do SIEM > Feeds.
Clique em Add New.
Selecione Amazon S3 como o Tipo de origem.
Selecione Jamf Protect Telemetry V2 como o Tipo de registro para criar um feed para o Jamf Protect Telemetry V2.
Clique em Próxima.
Configure os seguintes parâmetros de entrada:
- URI do S3: o URI que aponta para um contêiner do S3.
- URI is a: o tipo de objeto indicado pelo URI.
- Opção de exclusão da origem: se você quer excluir arquivos ou diretórios após a transferência.
- Selecione Chave de acesso ou Chave de acesso secreta: escolha o tipo de credencial adequado.
- Chave/token: a chave compartilhada ou o token SAS para acessar recursos do S3.
Clique em Próxima e em Enviar.
Copie o ID do feed do nome do feed para usar em Jamf Protect Telemetry V2.

Configurar um feed de ingestão no Google SecOps usando um webhook

Acesse Configurações do SIEM > Feeds.
Clique em Adicionar novo.
No campo Nome do feed, insira um nome para o feed.
Na lista Tipo de origem, selecione Webhook.
Selecione Jamf Protect Telemetry V2 como o Tipo de registro para criar um feed para o Jamf Protect Telemetry V2.
Clique em Próxima.
Opcional: especifique valores para os seguintes parâmetros de entrada:
- Delimitador de divisão: o delimitador usado para separar linhas de registro, como \n.
- Namespace do recurso: o namespace do recurso.
- Rótulos de ingestão: o rótulo a ser aplicado aos eventos deste feed.
Clique em Próxima.
Revise a nova configuração do feed na tela Finalizar e clique em Enviar.
Clique em Gerar chave secreta para autenticar o feed.
Copie e armazene a chave secreta com segurança. Não é possível ver essa chave secreta novamente. Se necessário, você pode gerar uma nova chave secreta, mas isso vai invalidar a anterior.
Na guia Detalhes, copie o URL do endpoint do feed no campo Informações do endpoint. Você vai precisar desse URL HTTPS para configurar o aplicativo cliente do Jamf Protect Telemetry V2.
Clique em Concluído.

Criar uma chave de API para um feed de webhook

Acesse o console doGoogle Cloud > Credenciais.

Ir para Credenciais
Clique em Criar credenciais e, em seguida, selecione Chave de API.
Restrinja o acesso da chave de API à API Google Security Operations.

Configurar a telemetria V2 do Jamf Protect para um feed de webhook

No aplicativo Jamf Protect Telemetry V2, navegue até a Configuração de ação relacionada.
Clique em Criar ações para adicionar um novo endpoint de dados.
Selecione HTTP como o protocolo.
No campo URL, insira o URL HTTPS do endpoint de API Google Security Operations. Esse é o campo Informações do endpoint que você copiou da configuração do feed de webhook. Ele já está no formato necessário.
Ative a autenticação especificando a chave de API e a chave secreta como parte do cabeçalho personalizado no seguinte formato:
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
Recomendação: especifique a chave de API como um cabeçalho em vez de no URL. Se o cliente de webhook não aceitar cabeçalhos personalizados, especifique a chave de API e a chave secreta usando parâmetros de consulta no seguinte formato:
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Substitua:
- ENDPOINT_URL: o URL do endpoint do feed.
- API_KEY: a chave de API para autenticar no Google Security Operations.
- SECRET: a chave secreta gerada para autenticar o feed.
Na seção Coletar registros, selecione Telemetria.
Clique em Enviar.

Para mais informações sobre feeds do Google SecOps, consulte a documentação sobre feeds do Google SecOps. Para informações sobre os requisitos de cada tipo de feed, consulte Configuração de feed por tipo.

Se você tiver problemas ao criar feeds, entre em contato com o suporte do Google SecOps.

Referência de mapeamento de campos

Esta seção explica como o analisador do Google SecOps mapeia os campos da telemetria V2 do Jamf Protect para os campos do modelo unificado de dados (UDM, na sigla em inglês) do Google SecOps.

Referência de mapeamento de campos: identificador de evento para tipo de evento

A tabela a seguir lista os tipos de registros JAMF_TELEMETRY_V2 e os tipos de eventos da UDM correspondentes.

Event Identifier	Event Type
`authentication`	`USER_LOGIN`
`bios_uefi`	`STATUS_UPDATE`
`btm_launch_item_add`	`PROCESS_LAUNCH`
`btm_launch_item_remove`	`PROCESS_TERMINATION`
`chroot`	`FILE_MODIFICATION`
`cs_invalidated`	`STATUS_UPDATE`
`exec`	`PROCESS_LAUNCH`
`file_collection`	`STATUS_UPDATE`
`gatekeeper_user_override`	`STATUS_UPDATE`
`kextload`	`STATUS_UPDATE`
`kextunload`	`STATUS_UPDATE`
`log_collection`	`STATUS_UPDATE`
`login_login`	`USER_LOGIN`
`login_logout`	`USER_LOGOUT`
`lw_session_lock`	`USER_LOGOUT`
`lw_session_login`	`USER_LOGIN`
`lw_session_logout`	`USER_LOGOUT`
`lw_session_unlock`	`USER_LOGIN`
`mount`	`STATUS_UPDATE`
`od_attribute_set`	`USER_RESOURCE_UPDATE_CONTENT`
`od_attribute_value_add`	`STATUS_UPDATE`
`od_attribute_value_remove`	`USER_RESOURCE_DELETION`
`od_create_group`	`GROUP_CREATION`
`od_create_user`	`USER_CREATION`
`od_delete_group`	`GROUP_DELETION`
`od_delete_user`	`USER_DELETION`
`od_disable_user`	`USER_UNCATEGORIZED`
`od_enable_user`	`USER_UNCATEGORIZED`
`od_group_add`	`GROUP_MODIFICATION`
`od_group_remove`	`GROUP_MODIFICATION`
`od_group_set`	`GROUP_MODIFICATION`
`od_modify_password`	`USER_CHANGE_PASSWORD`
`openssh_login`	`USER_LOGIN`
`openssh_logout`	`USER_LOGOUT`
`sudo`	`STATUS_UPDATE`
`system_performance`	`STATUS_UPDATE`
`unmount`	`STATUS_UPDATE`
`profile_add`	`SETTING_CREATION`
`profile_remove`	`SETTING_DELETION`
`remount`	`RESOURCE_CREATION`
`screensharing_attach`	`USER_LOGIN`
`screensharing_detach`	`USER_LOGOUT`
`settime`	`STATUS_UPDATE`
`su`	`USER_LOGIN`
`xp_malware_detected`	`SCAN_FILE`
`xp_malware_remediated`	`SCAN_FILE`

Referência de mapeamento de campo: JAMF_TELEMETRY_V2 - Common Fields

A tabela a seguir lista campos comuns do tipo de registro JAMF_TELEMETRY_V2 e os campos correspondentes da UDM.

Log field	UDM mapping	Logic
`action.result.result.auth`	`security_result.action`	If the event_type log field value is < `8000`, and not equal to `113` or `112`, and the action.result.result.auth field is equal to 1, then set `security_result.action` to BLOCK. Else, set `security_result.action` to ALLOW
	`principal.platform`	The `principal.platform` UDM field is set to `MAC`.
`uuid`	`metadata.product_log_id`
`time`	`metadata.event_timestamp`
`metadata.product`	`metadata.product_name`
`host.protectVersion`	`metadata.product_version`
`metadata.vendor`	`metadata.vendor_name`
`host.hostname`	`principal.asset.hostname`
`host.os`	`principal.platform_version`
`host.provisioningUDID`	`principal.asset_id`
`host.serial`	`principal.asset.hardware.serial_number`
`host.ips`	`principal.ip`	Iterate through log field `host.ips`, then `host.ips` log field is mapped to the `principal.ip` UDM field.
`event_type`	`additional.fields[event_type]`
`global_seq_num`	`additional.fields[global_seq_num]`
`process.executable.path`	`src.process.file.full_path`
`process.executable.stat.st_dev`	`src.process.file.stat_dev`
`process.executable.stat.st_flags`	`src.process.file.stat_flags`
`process.executable.stat.st_ino`	`src.process.file.stat_inode`
`process.executable.stat.st_mode`	`src.process.file.stat_mode`
`process.executable.stat.st_mtimespec`	`src.process.file.last_modification_time`
`process.executable.stat.st_atimespec`	`src.process.file.last_access_time`
`process.executable.stat.st_nlink`	`src.process.file.stat_nlink`
`process.executable.stat.st_size`	`src.process.file.size`
`process.executable.sha256`	`src.process.file.sha256`
`process.executable.sha1`	`src.process.file.sha1`
`process.signing_id`	`src.process.file.signature_info.codesign.id`
`process.team_id`	`additional.fields[process_team_id]`
`process.ppid`	`additional.fields[process_ppid]`
`process.codesigning_flags`	`additional.fields[process_codesigning_flags]`
`process.cdhash`	`additional.fields[process_cdhash]`
`process.is_platform_binary`	`additional.fields[process_is_platform_binary]`
`process.is_es_client`	`additional.fields[process_is_es_client]`
`process.group_id`	`additional.fields[process_group_id]`
`process.original_ppid`	`additional.fields[process_original_ppid]`
`process.session_id`	`additional.fields[process_session_id]`
`thread.uuid`	`additional.fields[thread_uuid]`
`thread.thread_id`	`additional.fields[thread_id]`
`seq_num`	`additional.fields[seq_num]`
`mach_time`	`additional.fields[mach_time]`
`version`	`additional.fields[version]`
`process.audit_token.euid`	`src.process.euid`
`process.audit_token.ruid`	`src.process.ruid`
`process.audit_token.egid`	`src.process.egid`
`process.audit_token.rgid`	`src.process.rgid`
`process.audit_token.pgid`	`src.process.pgid`
`process.audit_token.pid`	`src.process.pid`
`process.audit_token.uuid`	`src.process.product_specific_process_id`
`process.audit_token.signing_id`	`additional.fields[process_audit_token_signing_id]`
`process.parent_audit_token.euid`	`src.process.parent_process.euid`
`process.parent_audit_token.ruid`	`src.process.parent_process.ruid`
`process.parent_audit_token.egid`	`src.process.parent_process.egid`
`process.parent_audit_token.rgid`	`src.process.parent_process.rgid`
`process.parent_audit_token.pgid`	`src.process.parent_process.pgid`
`process.parent_audit_token.pid`	`src.process.parent_process.pid`
`process.parent_audit_token.uuid`	`src.process.parent_process.product_specific_process_id`
`process.parent_audit_token.signing_id`	`src.process.parent_process.file.signature_info.codesign.id`

Referência de mapeamento de campos: campos de rawlog para campos da UDM por `event_type`.

`event_type: remount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `remount`.
	`metadata.description`	`A file system has been remounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `RESOURCE_CREATION`.
	`principal.user.userid`	The `principal.user.userid` UDM field is set to `null`.
`event.remount.statfs.f_owner`	`target.user.userid`
`event.remount.device.size`	`target.file.size`
`event.remount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.remount.statfs.f_mntfromname`	`src.resource.name`
`event.remount.statfs.f_mntonname`	`target.resource.name`

`event_type: screensharing_attach`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `screensharing_attach`.
	`metadata.description`	`A screen sharing session has attached to a graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
`event.screensharing_attach.source_address`	`src.ip`
`event.screensharing_attach.authentication_username`	`target.user.user_display_name`
`event.screensharing_attach.session_username`	`principal.user.user_display_name`
`event.screensharing_attach.viewer_appleid`	`additional.fields[screensharing_attach.viewer_appleid]`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.
	`security_result.category`	If the `event.screensharing_attach.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: su`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `su`.
	`metadata.description`	`A user attempts to start a new shell using a substitute user identity.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.su.argv`	`target.process.command_line`	If the `event.su.argc` log field value is not equal to `0` then, iterate through log field `event.su.argv`, then `event.su.argv` log field is mapped to the `target.process.command_line` UDM field.
`event.su.to_uid`	`target.user.userid`
`event.su.to_username`	`target.user.user_display_name`
`event.su.from_uid`	`principal.user.userid`
`event.su.from_username`	`principal.user.user_display_name`

`event_type: settime`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `settime`.
	`metadata.description`	`The system time was attempted to be set.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.

`event_type: screensharing_detach`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `screensharing_detach`.
	`metadata.description`	`A screen sharing session has detached from a graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`target.user.user_display_name`	The `target.user.user_display_name` UDM field is set to `null`.
`event.screensharing_detach.source_address`	`src.ip`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `mechanism`.

`event_type: xp_malware_remediated`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `xp_malware_remediated`.
	`metadata.description`	`Apple's XProtect remediated malware on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_FILE`.
`action.result.result.auth`	`security_result.action`
`event.xp_malware_remediated.remediated_path`	`target.file.full_path`
`event.xp_malware_remediated.action_type`	`additional.fields[xp_malware_remediated.action_type]`
`event.xp_malware_remediated.success`	`additional.fields[xp_malware_remediated.success]`
`event.xp_malware_remediated.incident_identifier`	`security_result.threat_id`
`event.xp_malware_remediated.malware_identifier`	`security_result.threat_name`
`event.xp_malware_remediated.signature_version`	`security_result.rule_id`

`event_type: xp_malware_detected`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `xp_malware_detected`.
	`metadata.description`	`Apple's XProtect detected malware on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_FILE`.
`action.result.result.auth`	`security_result.action`
`event.xp_malware_detected.detected_path`	`target.file.full_path`
`event.xp_malware_detected.incident_identifier`	`security_result.threat_id`
`event.xp_malware_detected.malware_identifier`	`security_result.threat_name`

`event_type: authentication`

Log field	UDM mapping	Logic
	`Check additional fields in conf`
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `authentication`.
	`metadata.description`	`A user authentication has occurred.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
`event.authentication.data.od.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.od.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`	`JamfProtect:%{event.authentication.data.od.instigator.audit_token.uuid}` log field is mapped to the `principal.process.product_specific_process_id` UDM field.
`event.authentication.data.od.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.od.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.od.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.od.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.od.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.od.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.authentication.data.od.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.authentication.data.od.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.authentication.data.od.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.authentication.data.od.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.authentication.data.od.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.authentication.data.od.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`	`JamfProtect:%{event.authentication.data.od.instigator.parent_audit_token.uuid}` log field is mapped to the `principal.process.parent_process.product_specific_process_id` UDM field.
`event.authentication.data.od.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.od.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.od.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.od.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.od.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.od.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.od.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.od.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.od.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.od.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.od.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.od.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.od.instigator.signing_id`	`additional.fields[authentication_data_od_instigator_signing_id]`
`event.authentication.data.od.instigator.team_id`	`additional.fields[authentication_data_od_instigator_team_id]`
`event.authentication.data.od.instigator.ppid`	`rincipal.process.parent_process.pid`
`event.authentication.data.od.instigator.codesigning_flags`	`additional.fields[codesigning_flags]`
`event.authentication.data.od.instigator.cdhash`	`additional.fields[cdhash]`
`event.authentication.data.od.instigator.is_platform_binary`	`additional.fields[is_platform_binary]`
`event.authentication.data.od.instigator.is_es_client`	`additional.fields[is_es_client]`
`event.authentication.data.od.instigator.group_id`	`additional.fields[group_id]`
`event.authentication.data.od.instigator.original_ppid`	`additional.fields[original_ppid]`
`event.authentication.data.od.instigator.session_id`	`additional.fields[session_id]`
`event.authentication.data.touchid.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.touchid.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.touchid.instigator.audit_token.egid`	`principal.process.egid`
`event.authentication.data.touchid.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.touchid.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.touchid.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.touchid.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.authentication.data.touchid.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.touchid.instigator.parent_audit_token.euid`	`principal.parent_process.parent_process.euid`
`event.authentication.data.touchid.instigator.parent_audit_token.ruid`	`principal.parent_process.parent_process.ruid`
`event.authentication.data.touchid.instigator.parent_audit_token.egid`	`principal.parent_process.parent_process.egid`
`event.authentication.data.touchid.instigator.parent_audit_token.rgid`	`principal.parent_process.parent_process.rgid`
`event.authentication.data.touchid.instigator.parent_audit_token.pgid`	`principal.parent_process.parent_process.pgid`
`event.authentication.data.touchid.instigator.parent_audit_token.pid`	`principal.parent_process.parent_process.pid`
`event.authentication.data.touchid.instigator.parent_audit_token.uuid`	`principal.parent_process.product_specific_process_id`
`event.authentication.data.touchid.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.touchid.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.touchid.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.touchid.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.touchid.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.touchid.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.touchid.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.touchid.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.touchid.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.touchid.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.touchid.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.touchid.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.touchid.instigator.signing_id`	`additional.fields[authentication_data_touch_id_instigator_signing_id]`
`event.authentication.data.touchid.instigator.team_id`	`additional.fields[authentication_data_touch_id_instigator_team_id]`
`event.authentication.data.touchid.instigator.ppid`	`additional.fields[authentication_data_touch_id_instigator_ppid]`
`event.authentication.data.touchid.instigator.codesigning_flags`	`additional.fields[touchid_instigator_codesigning_flags]`
`event.authentication.data.touchid.instigator.cdhash`	`additional.fields[touchid_instigator_cdhash]`
`event.authentication.data.touchid.instigator.is_platform_binary`	`additional.fields[touchid_instigator_is_platform_binary]`
`event.authentication.data.touchid.instigator.is_es_client`	`additional.fields[touchid_instigator_is_es_client]`
`event.authentication.data.touchid.instigator.group_id`	`additional.fields[touchid_instigator_group_id]`
`event.authentication.data.touchid.instigator.original_ppid`	`additional.fields[touchid_instigator_original_ppid]`
`event.authentication.data.touchid.instigator.session_id`	`additional.fields[touchid_instigator_session_id]`
`event.authentication.data.token.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.token.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.token.instigator.audit_token.egid`	`principal.process.egid`
`event.authentication.data.token.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.token.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.token.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.token.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.authentication.data.token.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.token.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.authentication.data.token.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.authentication.data.token.instigator.parent_audit_token.egid`	`process.parent_process.egid`
`event.authentication.data.token.instigator.parent_audit_token.rgid`	`process.parent_process.rgid`
`event.authentication.data.token.instigator.parent_audit_token.pgid`	`process.parent_process.pgid`
`event.authentication.data.token.instigator.parent_audit_token.pid`	`process.parent_process.pid`
`event.authentication.data.token.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.authentication.data.token.instigator.parent_audit_token.signing_id`	`process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.token.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.token.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.token.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.token.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.token.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.token.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.token.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.token.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.token.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.token.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.token.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.token.instigator.signing_id`	`additional.fields[authentication_data_token_instigator_signing_id]`
`event.authentication.data.token.instigator.team_id`	`additional.fields[authentication_data_token_instigator_team_id]`
`event.authentication.data.token.instigator.ppid`	`additional.fields[authentication_data_token_instigator_ppid]`
`event.authentication.data.token.instigator.codesigning_flags`	`additional.fields[instigator_codesigning_flags]`
`event.authentication.data.token.instigator.cdhash`	`additional.fields[instigator_cdhash]`
`event.authentication.data.token.instigator.is_platform_binary`	`additional.fields[instigator_is_platform_binary]`
`event.authentication.data.token.instigator.is_es_client`	`additional.fields[instigator_is_es_client]`
`event.authentication.data.token.instigator.group_id`	`additional.fields[instigator_group_id]`
`event.authentication.data.token.instigator.original_ppid`	`additional.fields[instigator_original_ppid]`
`event.authentication.data.token.instigator.session_id`	`additional.fields[instigator_session_id]`
`event.authentication.data.od.record_name`	`target.user.user_display_name`
`event.authentication.data.od.db_path`	`additional.fields[db_path]`
`event.authentication.data.od.node_name`	`additional.fields[node_name]`
`event.authentication.data.od.record_type`	`additional.fields[record_type]`
`event.authentication.data.touchid.uid`	`target.user.userid`
`event.authentication.data.touchid.touchid_mode`	`additional.fields[authentication_data_touchid_touchid_mode]`
`event.authentication.data.token.pubkey_hash`	`additional.fields[authentication_data_token_pubkey_hash]`
`event.authentication.data.token.token_id`	`additional.fields[authentication_data_token_token_id]`
`event.authentication.data.token.kerberos_principal`	`additional.fields[authentication_data_token_kerberos_principal]`
`event.authentication.data.auto_unlock.username`	`target.user.user_display_name`
`event.authentication.data.auto_unlock.type`	`additional.fields[authentication_data_auto_unlock_type]`
`event.authentication.type`	`extensions.auth.mechanism`	If the `event.authentication.type` log field value is equal to `0` then, the `extensions.auth.mechanism` UDM field is set to `USERNAME_PASSWORD`. Else If the `event.authentication.type` log field value is equal to `1` then, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_OTHER`. Else If the `event.authentication.type` log field value is equal to `2` then, the `extensions.auth.mechanism` UDM field is set to `HARDWARE_KEY`. Else, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_OTHER`.
`event.authentication.success`	`security_result.category`	If the `event.authentication.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: btm_launch_item_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `btm_launch_item_add`.
	`metadata.description`	`Apple's Background Task Manager notifies that a new persistence item has been added.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_LAUNCH`.
`event.btm_launch_item_add.instigator.audit_token.euid`	`principal.process.euid`
`event.btm_launch_item_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.btm_launch_item_add.instigator.audit_token.egid`	`principal.process.egid`
`event.btm_launch_item_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.btm_launch_item_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.btm_launch_item_add.instigator.audit_token.pid`	`principal.process.pid`
`event.btm_launch_item_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.btm_launch_item_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.btm_launch_item_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.btm_launch_item_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.btm_launch_item_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.btm_launch_item_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.btm_launch_item_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.btm_launch_item_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.btm_launch_item_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.btm_launch_item_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_add.instigator.executable.path`	`principal.process.file.full_path`
`event.btm_launch_item_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.btm_launch_item_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.btm_launch_item_add.instigator.executable.stat.stat_inode`	`principal.process.file.stat_inode`
`event.btm_launch_item_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.btm_launch_item_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.btm_launch_item_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.btm_launch_item_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.btm_launch_item_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.btm_launch_item_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.btm_launch_item_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.btm_launch_item_add.instigator.signing_id`	`additional.fields[btm_launch_item_add_data_token_instigator_signing_id]`
`event.btm_launch_item_add.instigator.team_id`	`additional.fields[btm_launch_item_add_data_token_instigator_team_id]`
`event.btm_launch_item_add.instigator.ppid`	`additional.fields[btm_launch_item_add_data_token_instigator_ppid]`
`event.btm_launch_item_add.instigator.codesigning_flags`	`additional.fields[btm_launch_item_add_instigator_codesigning_flags]`
`event.btm_launch_item_add.instigator.cdhash`	`additional.fields[btm_launch_item_add_instigator_cdhash]`
`event.btm_launch_item_add.instigator.is_platform_binary`	`additional.fields[btm_launch_item_add_instigator_is_platform_binary]`
`event.btm_launch_item_add.instigator.is_es_client`	`additional.fields[btm_launch_item_add_instigator_is_es_client]`
`event.btm_launch_item_add.instigator.group_id`	`additional.fields[btm_launch_item_add_instigator_group_id]`
`event.btm_launch_item_add.instigator.original_ppid`	`additional.fields[btm_launch_item_add_instigator_original_ppid]`
`event.btm_launch_item_add.instigator.session_id`	`additional.fields[btm_launch_item_add_instigator_session_id]`
`event.btm_launch_item_add.app.audit_token.euid`	`target.process.euid`
`event.btm_launch_item_add.app.audit_token.ruid`	`target.process.ruid`
`event.btm_launch_item_add.app.audit_token.egid`	`target.process.egid`
`event.btm_launch_item_add.app.audit_token.rgid`	`target.process.rgid`
`event.btm_launch_item_add.app.audit_token.pgid`	`target.process.pgid`
`event.btm_launch_item_add.app.audit_token.pid`	`target.process.pid`
`event.btm_launch_item_add.app.audit_token.uuid`	`target.process.product_specific_process_id`
`event.btm_launch_item_add.app.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`
`event.btm_launch_item_add.app.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.btm_launch_item_add.app.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.btm_launch_item_add.app.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.btm_launch_item_add.app.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.btm_launch_item_add.app.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.btm_launch_item_add.app.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.btm_launch_item_add.app.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_add.app.executable.path`	`target.process.file.full_path`
`event.btm_launch_item_add.app.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.btm_launch_item_add.app.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.btm_launch_item_add.app.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.btm_launch_item_add.app.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.btm_launch_item_add.app.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.btm_launch_item_add.app.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.btm_launch_item_add.app.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.btm_launch_item_add.app.executable.stat.st_size`	`target.process.file.size`
`event.btm_launch_item_add.app.executable.sha256`	`target.process.file.sha256`
`event.btm_launch_item_add.app.executable.sha1`	`target.process.file.sha1`
`event.btm_launch_item_add.app.signing_id`	`additional.fields[btm_launch_item_add_app_signing_id]`
`event.btm_launch_item_add.app.team_id`	`additional.fields[btm_launch_item_add_app_team_id]`
`event.btm_launch_item_add.app.ppid`	`additional.fields[btm_launch_item_add_app_ppid]`
`event.btm_launch_item_add.app.codesigning_flags`	`additional.fields[btm_launch_item_add_app_codesigning_flags]`
`event.btm_launch_item_add.app.cdhash`	`additional.fields[btm_launch_item_add_app_cdhash]`
`event.btm_launch_item_add.app.is_platform_binary`	`additional.fields[btm_launch_item_add_app_is_platform_binary]`
`event.btm_launch_item_add.app.is_es_client`	`additional.fields[btm_launch_item_add_app_is_es_client]`
`event.btm_launch_item_add.app.group_id`	`additional.fields[btm_launch_item_add_app_group_id]`
`event.btm_launch_item_add.app.original_ppid`	`additional.fields[btm_launch_item_add_app_group_id]`
`event.btm_launch_item_add.app.session_id`	`additional.fields[btm_launch_item_add_app_session_id]`
`event.btm_launch_item_add.executable_path`	`target.file.full_path`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `4` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `3` and if the `event.btm_launch_item_add.executable_path` log field value is `not empty` and if the `event.btm_launch_item_add.executable_path` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.executable_path` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_add.executable_path` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.executable_path}` log field is mapped to the `target.file.full_path` UDM field. Else If the `event.btm_launch_item_add.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_add.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_add.item.item_url` log field is mapped to the `target.resource.name` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url}` log field is mapped to the `target.resource.name` UDM field.
`event.btm_launch_item_add.item.item_url`	`target.file.full_path`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `0` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `1` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `2` and if the `event.btm_launch_item_add.item.item_url` log field value is not empty and if the `event.btm_launch_item_add.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then the `event.btm_launch_item_add.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_add.item.uid`	`target.user.userid`
`event.btm_launch_item_add.item.item_type`	`target.application`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `0` then, the `target.application` UDM field is set to `USER_ITEM`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `1` then, the `target.application` UDM field is set to `APP`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `2` then, the `target.application` UDM field is set to `LOGIN_ITEM`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `3` then, the `target.application` UDM field is set to `AGENT`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `4` then, the `target.application` UDM field is set to `DAEMON`.
`event.btm_launch_item_add.item.managed`	`additional.fields[btm_launch_item_add_item_managed]`
`event.btm_launch_item_add.item.legacy`	`additional.fields[btm_launch_item_add_item_legacy]`

`event_type: btm_launch_item_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `btm_launch_item_remove`.
	`metadata.description`	`Apple's Background Task Manager notified that an item has been removed.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_TERMINATION`.
`event.btm_launch_item_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.btm_launch_item_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.btm_launch_item_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.btm_launch_item_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.btm_launch_item_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.btm_launch_item_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.btm_launch_item_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.btm_launch_item_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.btm_launch_item_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.btm_launch_item_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.btm_launch_item_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.btm_launch_item_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.btm_launch_item_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.btm_launch_item_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.btm_launch_item_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.btm_launch_item_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.btm_launch_item_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.btm_launch_item_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.btm_launch_item_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.btm_launch_item_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.btm_launch_item_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.btm_launch_item_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.btm_launch_item_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.btm_launch_item_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.btm_launch_item_remove.instigator.codesigning_flags`	`additional.fields[btm_launch_item_remove_instigator_codesigning_flags]`
`event.btm_launch_item_remove.instigator.cdhash`	`additional.fields[btm_launch_item_remove_instigator_cdhash]`
`event.btm_launch_item_remove.instigator.is_es_client`	`additional.fields[btm_launch_item_remove_instigator_is_es_client]`
`event.btm_launch_item_remove.instigator.group_id`	`additional.fields[btm_launch_item_remove_instigator_group_id]`
`event.btm_launch_item_remove.instigator.original_ppid`	`additional.fields[btm_launch_item_remove_instigator_original_ppid]`
`event.btm_launch_item_remove.instigator.session_id`	`additional.fields[btm_launch_item_remove_instigator_session_id]`
`event.btm_launch_item_remove.app.audit_token.euid`	`target.process.euid`
`event.btm_launch_item_remove.app.audit_token.ruid`	`target.process.ruid`
`event.btm_launch_item_remove.app.audit_token.egid`	`target.process.egid`
`event.btm_launch_item_remove.app.audit_token.rgid`	`target.process.rgid`
`event.btm_launch_item_remove.app.audit_token.pgid`	`target.process.pgid`
`event.btm_launch_item_remove.app.audit_token.pid`	`target.process.pid`
`event.btm_launch_item_remove.app.audit_token.uuid`	`target.process.product_specific_process_id`
`event.btm_launch_item_remove.app.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.app.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.btm_launch_item_remove.app.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.btm_launch_item_remove.app.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.btm_launch_item_remove.app.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.btm_launch_item_remove.app.parent_audit_token.pgid`	`target.process.parent_process.pgid`
`event.btm_launch_item_remove.app.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.btm_launch_item_remove.app.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.btm_launch_item_remove.app.executable.path`	`target.process.file.full_path`
`event.btm_launch_item_remove.app.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.btm_launch_item_remove.app.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.btm_launch_item_remove.app.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.btm_launch_item_remove.app.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.btm_launch_item_remove.app.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.btm_launch_item_remove.app.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.btm_launch_item_remove.app.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.btm_launch_item_remove.app.executable.stat.st_size`	`target.process.file.size`
`event.btm_launch_item_remove.app.executable.sha256`	`target.process.file.sha256`
`event.btm_launch_item_remove.app.executable.sha1`	`target.process.file.sha1`
`event.btm_launch_item_remove.app.signing_id`	`additional.fields[btm_launch_item_remove_app_signing_id]`
`event.btm_launch_item_remove.app.team_id`	`additional.fields[btm_launch_item_remove_app_team]`
`event.btm_launch_item_remove.app.ppid`	`additional.fields[btm_launch_item_remove_app_ppid]`
`event.btm_launch_item_remove.app.codesigning_flags`	`additional.fields[btm_launch_item_remove_app_codesigning_flags]`
`event.btm_launch_item_remove.app.cdhash`	`additional.fields[btm_launch_item_remove_app_cdhash]`
`event.btm_launch_item_remove.app.is_platform_binary`	`additional.fields[additional.fields[btm_launch_item_remove_app_cdhash]]`
`event.btm_launch_item_remove.app.is_es_client`	`additional.fields[additional.fields[btm_launch_item_remove_app_is_es_client]]`
`event.btm_launch_item_remove.app.group_id`	`additional.fields[additional.fields[btm_launch_item_remove_app_group_id]]`
`event.btm_launch_item_remove.app.original_ppid`	`additional.fields[additional.fields[btm_launch_item_remove_app_original_ppid]]`
`event.btm_launch_item_remove.app.session_id`	`additional.fields[additional.fields[btm_launch_item_remove_app_session_id]]`
`event.btm_launch_item_remove.item.app_url`	`target.file.full_path`	If the `event.btm_launch_item_remove.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_remove.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_remove.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_remove.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_remove.item.item_url`	`target.file.full_path`	If the `event.btm_launch_item_remove.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_remove.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_remove.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_remove.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_remove.item.uid`	`target.user.userid`
`event.btm_launch_item_remove.executable_path`	`target.file.full_path`
`event.btm_launch_item_remove.item.item_type`	`target.application`	If the `event.btm_launch_item_remove.item.item_type` log field value is equal to `0` then, the `target.application` UDM field is set to `USER_ITEM`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `1` then, the `target.application` UDM field is set to `APP`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `2` then, the `target.application` UDM field is set to `LOGIN_ITEM`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `3` then, the `target.application` UDM field is set to `AGENT`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `4` then, the `target.application` UDM field is set to `DAEMON`.
`event.btm_launch_item_remove.item.managed`	`additional.fields[btm_launch_item_remove_item_managed]`
`event.btm_launch_item_remove.item.legacy`	`additional.fields[btm_launch_item_remove_item_legacy]`
`event.btm_launch_item_remove.app.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`

`event_type: chroot`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `chroot`.
	`metadata.description`	`A piece of software has changed its apparent root directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `FILE_MODIFICATION`.
`event.chroot.target.path`	`target.file.full_path`
`event.chroot.target.stat.st_dev`	`target.file.stat_dev`
`event.chroot.target.stat.st_flags`	`target.file.stat_flags`
`event.chroot.target.stat.st_ino`	`target.file.stat_inode`
`event.chroot.target.stat.st_mode`	`target.file.stat_mode`
`event.chroot.target.stat.st_mtimespec`	`target.file.last_modification_time`
`event.chroot.target.stat.st_atimespec`	`target.file.last_access_time`
`event.chroot.target.stat.st_nlink`	`target.file.stat_nlink`
`event.chroot.target.stat.st_size`	`target.file.size`
`event.chroot.target.sha256`	`target.file.sha256`
`event.chroot.target.sha1`	`target.file.sha1`

`event_type: exec`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `exec`.
	`metadata.description`	`An executable has been loaded into memory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_LAUNCH`.
`process.responsible_audit_token.euid`	`principal.process.euid`
`process.responsible_audit_token.ruid`	`principal.process.ruid`
`process.responsible_audit_token.egid`	`principal.process.egid`
`process.responsible_audit_token.rgid`	`principal.process.rgid`
`process.responsible_audit_token.pgid`	`principal.process.pgid`
`process.responsible_audit_token.pid`	`principal.process.pid`
`process.responsible_audit_token.uuid`	`principal.process.product_specific_process_id`
`process.responsible_audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.exec.target.audit_token.euid`	`target.process.euid`
`event.exec.target.audit_token.ruid`	`target.process.ruid`
`event.exec.target.audit_token.egid`	`target.process.egid`
`event.exec.target.audit_token.rgid`	`target.process.rgid`
`event.exec.target.audit_token.pgid`	`target.process.pgid`
`event.exec.target.audit_token.pid`	`target.process.pid`
`event.exec.target.audit_token.uuid`	`target.process.product_specific_process_id`
`event.exec.target.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.exec.target.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.exec.target.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.exec.target.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.exec.target.parent_audit_token.pgid`	`target.process.parent_process.pgid`
`event.exec.target.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.exec.target.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.exec.target.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`
`event.exec.target.executable.path`	`target.process.file.full_path`
`event.exec.target.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.exec.target.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.exec.target.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.exec.target.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.exec.target.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.exec.target.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.exec.target.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.exec.target.executable.stat.st_size`	`target.process.file.size`
`event.exec.target.executable.sha256`	`target.process.file.sha256`
`event.exec.target.executable.sha1`	`target.process.file.sha1`
`event.exec.target.signing_id`	`additional.fields[exec_target_signing_id]`
`event.exec.target.team_id`	`additional.fields[exec_target_team_id]`
`event.exec.target.ppid`	`additional.fields[exec_target_ppid]`
`event.exec.target.codesigning_flags`	`additional.fields[exec_target_codesigning_flags]`
`event.exec.target.cdhash`	`additional.fields[exec_target_cdhash]`
`event.exec.target.is_platform_binary`	`additional.fields[exec_target_is_platform_binary]`
`event.exec.target.is_es_client`	`additional.fields[exec_target_is_es_client]`
`event.exec.target.group_id`	`additional.fields[exec_target_group_id]`
`event.exec.target.original_ppid`	`additional.fields[exec_target_original_ppid]`
`event.exec.target.session_id`	`additional.fields[exec_target_session_id]`
`event.exec.args`	`target.process.command_line`
`event.exec.cwd.path`	`additional.fields[exec_cwd_path]`
`event.exec.dyld_exec_path`	`additional.fields[exec_dyld_exec_path]`
`event.exec.script.path`	`additional.fields[exec_script_path]`
`event.exec.tty.path`	`additional.fields[exec_tty_path]`
`event.exec.image_cpusubtype`	`additional.fields[exec_image_cpusubtype]`
`event.exec.image_cputype`	`additional.fields[exec_image_cputype]`
`event.exec.target.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`

`event_type: file_collection`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `file_collection`.
	`metadata.description`	`Event occurs when data from a Diagnsostic or Crash Report file is collected from the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.file_collection.path`	`target.file.path`
`event.file_collection.size`	`target.file.size`
`event.file_collection.contents`	`additional.fields[file_collection_contents]`

`event_type: kextload`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `kextload`.
	`metadata.description`	`A kernel extension (kext) was loaded.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.kextload.identifier`	`target.resource.name`

`event_type: kextunload`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `kextunload`.
	`metadata.description`	`A kernel extension (kext) was unloaded.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.kextunload.identifier`	`target.resource.name`

`event_type: log_collection`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `log_collection`.
	`metadata.description`	`Collection of entries from a local log file.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.log_collection.texts`	`target.file.names`
`event.log_collection.path.0`	`target.file.full_path`

`event_type: login_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `login_login`.
	`metadata.description`	`A user attempted to log in via /usr/bin/login.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.login_login.uid`	`target.user.userid`
`event.login_login.username`	`target.user.user_display_name`
`event.login_login.success`	`security_result.category`	If the `event.login_login.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.
`event.login_login.failure_message`	`security_result.category_details`	If the `event.login_login.success` log field value is equal to `false` then, `event.login_login.failure_message` log field is mapped to the `security_result.category_details` UDM field.

`event_type: login_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `login_logout`.
	`metadata.description`	`A user logged out via /usr/bin/login.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.login_logout.uid`	`target.user.userid`
`event.login_logout.username`	`target.user.user_display_name`

`event_type: lw_session_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_login`.
	`metadata.description`	`A user has logged in via the Login Window.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_login.username`	`target.user.user_display_name`

`event_type: bios_uefi`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `bios_uefi`.
	`metadata.description`	`Information about the current version of bios and uefi on the device.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.bios_uefi.firmware-version`	`additional.fields[bios_uefi_firmware_version]`
`event.bios_uefi.system-firmware-version`	`additional.fields[bios_uefi_system_firmware_version]`
`event.bios_uefi.architecture`	`additional.fields[bios_uefi_architecture]`
`event.bios_uefi.bios.firmware-version`	`additional.fields[bios_uefi_bios_firmware_version]`
`event.bios_uefi.bios.vendor`	`additional.fields[bios_uefi_bios_vendor]`
`event.bios_uefi.bios.firmware-features`	`additional.fields[bios_uefi_bios_firmware_features]`
`event.bios_uefi.bios.rom-size`	`additional.fields[bios_uefi_bios_rom_size]`
`event.bios_uefi.bios.booter-version`	`additional.fields[bios_uefi_bios_booter_version]`

`event_type: cs_invalidated`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `cs_invalidated`.
	`metadata.description`	`A process has had its code signature marked as invalid.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.

`event_type: gatekeeper_user_override`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `gatekeeper_user_override`.
	`metadata.description`	`A user overrides Gatekeeper.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.gatekeeper_user_override.file.path`	`target.file.full_path`
`event.gatekeeper_user_override.file.stat.st_dev`	`target.file.stat_dev`
`event.gatekeeper_user_override.file.stat.st_flags`	`target.file.stat_flags`
`event.gatekeeper_user_override.file.stat.st_ino`	`target.file.stat_inode`
`event.gatekeeper_user_override.file.stat.st_mode`	`target.file.stat_mode`
`event.gatekeeper_user_override.file.stat.st_mtimespec`	`target.file.last_modification_time`
`event.gatekeeper_user_override.file.stat.st_atimespec`	`target.file.last_access_time`
`event.gatekeeper_user_override.file.stat.st_nlink`	`target.file.stat_nlink`
`event.gatekeeper_user_override.file.stat.st_size`	`target.file.size`
`event.gatekeeper_user_override.file.sha256`	`target.file.sha256`
`event.gatekeeper_user_override.file.sha1`	`target.file.sha1`
`event.gatekeeper_user_override.signing_info.signing_id`	`additional.fields[exec_gatekeeper_user_override_signing_info_signing_id]`
`event.gatekeeper_user_override.signing_info.team_id`	`additional.fields[gatekeeper_user_override_signing_info_team_id]`
`event.gatekeeper_user_override.signing_info.cdhash`	`additional.fields[gatekeeper_user_override_signing_info_cdhash]`
`event.gatekeeper_user_override.file_type`	`additional.fields[gatekeeper_user_override_file_type]`
`event.gatekeeper_user_override.sha256`	`additional.fields[gatekeeper_user_override_sha256]`

`event_type: lw_session_unlock`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_unlock`.
	`metadata.description`	`A user has unlocked the screen from the Login Window.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_unlock.username`	`target.user.user_display_name`

`event_type: lw_session_lock`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_lock`.
	`metadata.description`	`A user has locked the screen.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_lock.username`	`target.user.user_display_name`

`event_type: lw_session_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_logout`.
	`metadata.description`	`A user has logged out of an active graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_logout.username`	`target.user.user_display_name`

`event_type: mount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `mount`.
	`metadata.description`	`A file system has been mounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.mount.statfs.f_owner`	`principal.user.userid`
`event.mount.device.size`	`target.file.size`
`event.mount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.mount.statfs.f_mntfromname`	`src.resource.name`
`event.mount.statfs.f_mntonname`	`target.resource.name`
`event.mount.device.protocol`	`additional.fields[mount_device_protocol]`
`event.mount.disposition`	`additional.fields[mount_disposition]`
`event.mount.device.serial_number`	`target.asset.hardware.serial_number`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.serial_number` log field is mapped to the `target.asset.hardware.serial_number` UDM field.
`event.mount.device.vendor_name`	`target.asset.hardware.manufacturer`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.vendor_name` log field is mapped to the `target.asset.hardware.manufacturer` UDM field.
`event.mount.device.device_model`	`target.asset.hardware.model`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.device_model` log field is mapped to the `target.asset.hardware.model` UDM field.

`event_type: od_attribute_set`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_set`.
	`metadata.description`	`Attribute set on user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_RESOURCE_UPDATE_CONTENT`.
`event.od_attribute_set.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_set.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_set.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_set.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_set.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_set.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_set.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_set.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_set.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_set.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_set.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_set.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_set.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_set.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_set.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_set.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_set.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_set.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_set.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_set.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_set.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_set.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_set.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_set.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_set.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_set.instigator.signing_id`	`additional.fields[od_attribute_set_instigator_signing_id]`
`event.od_attribute_set.instigator.team_id`	`additional.fields[od_attribute_set_instigator_team_id]`
`event.od_attribute_set.instigator.ppid`	`additional.fields[od_attribute_set_instigator_codesigning_flags]`
`event.od_attribute_set.instigator.codesigning_flags`	`additional.fields[od_attribute_set_instigator_ppid]`
`event.od_attribute_set.instigator.cdhash`	`additional.fields[od_attribute_set_instigator_cdhash]`
`event.od_attribute_set.instigator.is_platform_binary`	`additional.fields[od_attribute_set_instigator_is_platform_binary]`
`event.od_attribute_set.instigator.is_es_client`	`additional.fields[od_attribute_set_instigator_is_es_client]`
`event.od_attribute_set.instigator.group_id`	`additional.fields[od_attribute_set_instigator_group_id]`
`event.od_attribute_set.instigator.original_ppid`	`additional.fields[od_attribute_set_instigator_original_ppid]`
`event.od_attribute_set.instigator.session_id`	`additional.fields[od_attribute_set_instigator_session_id]`
`event.od_attribute_set.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_add.attribute_value`	`target.resource.name`
`event.od_attribute_set.record_name`	`target.user.user_display_name`
`event.od_attribute_set.instigator_token.euid`	`principal.user.userid`
`event.od_attribute_set.db_path`	`additional.fields[event_od_attribute_set_db_path]`
`event.od_attribute_set.node_name`	`additional.fields[event_od_attribute_set_node_name]`
`event.od_attribute_set.record_type`	`additional.fields[event_od_attribute_set_record_type]`
`event.od_attribute_set.error_code`	`additional.fields[event_od_attribute_set_error_code]`

`event_type: od_attribute_value_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_value_add`.
	`metadata.description`	`Attribute set on user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.od_attribute_value_add.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_value_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_value_add.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_value_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_value_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_value_add.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_value_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_value_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_value_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_value_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_value_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_value_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_value_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_value_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_value_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_value_add.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_value_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_value_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_value_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_value_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_value_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_value_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_value_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_value_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_value_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_value_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_value_add.instigator.signing_id`	`additional.fields[od_attribute_value_add_instigator_signing_id]`
`event.od_attribute_value_add.instigator.team_id`	`additional.fields[od_attribute_value_add_instigator_team_id]`
`event.od_attribute_value_add.instigator.ppid`	`additional.fields[od_attribute_value_add_instigator_ppid]`
`event.od_attribute_value_add.instigator.codesigning_flags`	`additional.fields[od_attribute_set_instigator_codesigning_flags]`
`event.od_attribute_value_add.instigator.cdhash`	`additional.fields[od_attribute_value_add_instigator_codesigning_flags]`
`event.od_attribute_value_add.instigator.is_platform_binary`	`additional.fields[od_attribute_set_instigator_is_platform_binary]`
`event.od_attribute_value_add.instigator.is_es_client`	`additional.fields[od_attribute_value_add_instigator_is_es_client]`
`event.od_attribute_value_add.instigator.group_id`	`additional.fields[od_attribute_value_add_instigator_group_id]`
`event.od_attribute_value_add.instigator.original_ppid`	`additional.fields[od_attribute_value_add_instigator_original_pp]`
`event.od_attribute_value_add.instigator.session_id`	`additional.fields[od_attribute_value_add_instigator_session_id]`
`event.od_attribute_value_add.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_add.attribute_value`	`target.resource.name`
`event.od_attribute_value_add.record_name`	`target.user.user_display_name`
`event.od_attribute_value_add.db_path`	`additional.fields[od_attribute_value_add_db_path]`
`event.od_attribute_value_add.node_name`	`additional.fields[od_attribute_value_add_node_name]`
`event.od_attribute_value_add.record_type`	`additional.fields[od_attribute_value_add_record_type]`
`event.od_attribute_value_add.error_code`	`additional.fields[od_attribute_value_add_error_code]`

`event_type: od_attribute_value_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_value_remove`.
	`metadata.description`	`Attribute removed from a user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_RESOURCE_DELETION`.
`event.od_attribute_value_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_value_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_value_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_value_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_value_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_value_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_value_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_value_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_value_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_value_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_value_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_value_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_value_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_value_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_value_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_value_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_value_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_value_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_value_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_value_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_value_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_value_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_value_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_value_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_value_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_value_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_value_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_value_remove.instigator.codesigning_flags`	`additional.fields[od_attribute_value_remove_instigator_codesigning_flags]`
`event.od_attribute_value_remove.instigator.cdhash`	`additional.fields[od_attribute_value_remove_instigator_codesigning_flags]`
`event.od_attribute_value_remove.instigator.is_platform_binary`	`additional.fields[od_attribute_value_remove_instigator_is_platform_binary]`
`event.od_attribute_value_remove.instigator.is_es_client`	`additional.fields[od_attribute_value_remove_instigator_is_es_client]`
`event.od_attribute_value_remove.instigator.group_id`	`additional.fields[od_attribute_value_remove_instigator_group_id]`
`event.od_attribute_value_remove.instigator.original_ppid`	`additional.fields[od_attribute_value_remove_instigator_original_pp]`
`event.od_attribute_value_remove.instigator.session_id`	`additional.fields[od_attribute_value_remove_instigator_session_id]`
`event.od_attribute_value_remove.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_remove.attribute_value`	`target.resource.name`
`event.od_attribute_value_remove.record_name`	`target.user.user_display_name`
`event.od_attribute_value_remove.db_path`	`additional.fields[od_attribute_value_remove_db_path]`
`event.od_attribute_value_remove.node_name`	`additional.fields[od_attribute_value_remove_node_name]`
`event.od_attribute_value_remove.record_type`	`additional.fields[od_attribute_value_remove_record_type]`
`event.od_attribute_value_remove.error_code`	`additional.fields[od_attribute_value_remove_error_code]`

`event_type: od_create_group`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_create_group`.
	`metadata.description`	`A group has been created using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_CREATION`.
`event.od_create_group.instigator.audit_token.euid`	`principal.process.euid`
`event.od_create_group.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_create_group.instigator.audit_token.egid`	`principal.process.egid`
`event.od_create_group.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_create_group.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_create_group.instigator.audit_token.pid`	`principal.process.pid`
`event.od_create_group.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_create_group.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_create_group.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_create_group.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_create_group.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_create_group.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_create_group.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_create_group.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_create_group.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_create_group.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_create_group.instigator.executable.path`	`principal.process.file.full_path`
`event.od_create_group.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_create_group.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_create_group.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_create_group.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_create_group.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_create_group.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_create_group.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_create_group.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_create_group.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_create_group.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_create_group.instigator.signing_id`	`additional.fields[od_create_group_instigator_signing_id]`
`event.od_create_group.instigator.team_id`	`additional.fields[od_create_group_instigator_team_id]`
`event.od_create_group.instigator.ppid`	`additional.fields[od_create_group_instigator_ppid]`
`event.od_create_group.instigator.codesigning_flags`	`additional.fields[od_create_group_instigator_codesigning_flags]`
`event.od_create_group.instigator.cdhash`	`additional.fields[od_create_group_instigator_cdhash]`
`event.od_create_group.instigator.is_platform_binary`	`additional.fields[od_create_group_instigator_is_platform_binary]`
`event.od_create_group.instigator.is_es_client`	`additional.fields[od_create_group_instigator_is_es_client]`
`event.od_create_group.instigator.group_id`	`additional.fields[od_create_group_instigator_group_id]`
`event.od_create_group.instigator.original_ppid`	`additional.fields[od_create_group_instigator_original_pp]`
`event.od_create_group.instigator.session_id`	`additional.fields[od_create_group_instigator_session_id]`
`event.od_create_group.group_name`	`target.group.group_display_name`
`event.od_create_group.instigator_token.euid`	`principal.user.userid`
`od_create_group.db_path`	`additional.fields[od_create_group_db_path]`
`event.od_create_group.node_name`	`additional.fields[od_create_group_node_name]`
`event.od_create_group.error_code`	`additional.fields[od_create_group_error_code]`

`event_type: od_delete_group`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_delete_group`.
	`metadata.description`	`A group has been deleted using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_DELETION`.
`event.od_delete_group.instigator.audit_token.euid`	`principal.process.euid`
`event.od_delete_group.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_delete_group.instigator.audit_token.egid`	`principal.process.egid`
`event.od_delete_group.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_delete_group.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_delete_group.instigator.audit_token.pid`	`principal.process.pid`
`event.od_delete_group.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_delete_group.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_delete_group.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_delete_group.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_delete_group.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_delete_group.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_delete_group.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_delete_group.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_delete_group.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_delete_group.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_delete_group.instigator.executable.path`	`principal.process.file.full_path`
`event.od_delete_group.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_delete_group.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_delete_group.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_delete_group.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_delete_group.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_delete_group.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_delete_group.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_delete_group.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_delete_group.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_delete_group.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_delete_group.instigator.signing_id`	`additional.fields[od_delete_group_instigator_signing_id]`
`event.od_delete_group.instigator.team_id`	`additional.fields[od_delete_group_instigator_team_id]`
`event.od_delete_group.instigator.ppid`	`additional.fields[od_delete_group_instigator_ppid]`
`event.od_delete_group.instigator.codesigning_flags`	`additional.fields[od_delete_group_instigator_codesigning_flags]`
`event.od_delete_group.instigator.cdhash`	`additional.fields[od_delete_group_instigator_cdhash]`
`event.od_delete_group.instigator.is_platform_binary`	`additional.fields[od_delete_group_instigator_is_platform_binary]`
`event.od_delete_group.instigator.is_es_client`	`additional.fields[od_delete_group_instigator_is_es_client]`
`event.od_delete_group.instigator.group_id`	`additional.fields[od_delete_group_instigator_group_id]`
`event.od_delete_group.instigator.original_ppid`	`additional.fields[od_delete_group_instigator_original_pp]`
`event.od_delete_group.instigator.session_id`	`additional.fields[od_delete_group_instigator_session_id]`
`event.od_delete_group.group_name`	`target.group.group_display_name`
`event.od_delete_group.instigator_token.euid`	`principal.user.userid`
`od_delete_group.db_path`	`additional.fields[od_delete_group_db_path]`
`event.od_delete_group.node_name`	`additional.fields[od_delete_group_node_name]`
`event.od_delete_group.error_code`	`additional.fields[od_delete_group_error_code]`

`event_type: od_create_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_create_user`.
	`metadata.description`	`A user has been created using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_CREATION`.
`event.od_create_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_create_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_create_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_create_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_create_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_create_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_create_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_create_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_create_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_create_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_create_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_create_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_create_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_create_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_create_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_create_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_create_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_create_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_create_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_create_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_create_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_create_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_create_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_create_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_create_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_create_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_create_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_create_user.instigator.signing_id`	`additional.fields[od_create_user_instigator_signing_id]`
`event.od_create_user.instigator.team_id`	`additional.fields[od_create_user_instigator_team_id]`
`event.od_create_user.instigator.ppid`	`additional.fields[od_create_user_instigator_ppid]`
`event.od_create_user.instigator.codesigning_flags`	`additional.fields[od_create_user_instigator_codesigning_flags]`
`event.od_create_user.instigator.cdhash`	`additional.fields[od_create_user_instigator_cdhash]`
`event.od_create_user.instigator.is_platform_binary`	`additional.fields[od_create_user_instigator_is_platform_binary]`
`event.od_create_user.instigator.is_es_client`	`additional.fields[od_create_user_instigator_is_es_client]`
`event.od_create_user.instigator.group_id`	`additional.fields[od_create_user_instigator_group_id]`
`event.od_create_user.instigator.original_ppid`	`additional.fields[od_create_user_instigator_original_pp]`
`event.od_create_user.instigator.session_id`	`additional.fields[od_create_user_instigator_session_id]`
`event.od_create_user.user_name`	`target.user.userid`
`event.od_create_user.instigator_token.euid`	`principal.user.userid`
`event.od_create_user.db_path`	`additional.fields[od_create_user_db_path]`
`event.od_create_user.node_name`	`additional.fields[od_create_user_node_name]`
`event.od_create_user.error_code`	`additional.fields[od_create_user_error_code]`

`event_type: od_delete_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_delete_user`.
	`metadata.description`	`A user has been deleted using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_DELETION`.
`event.od_delete_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_delete_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_delete_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_delete_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_delete_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_delete_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_delete_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_delete_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_delete_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_delete_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_delete_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_delete_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_delete_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_delete_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_delete_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_delete_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_delete_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_delete_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_delete_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_delete_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_delete_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_delete_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_delete_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_delete_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_delete_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_delete_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_delete_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_delete_user.instigator.signing_id`	`additional.fields[od_delete_user_instigator_signing_id]`
`event.od_delete_user.instigator.team_id`	`additional.fields[od_delete_user_instigator_team_id]`
`event.od_delete_user.instigator.ppid`	`additional.fields[od_delete_user_instigator_ppid]`
`event.od_delete_user.instigator.codesigning_flags`	`additional.fields[od_delete_user_instigator_codesigning_flags]`
`event.od_delete_user.instigator.cdhash`	`additional.fields[od_delete_user_instigator_cdhash]`
`event.od_delete_user.instigator.is_platform_binary`	`additional.fields[od_delete_user_instigator_is_platform_binary]`
`event.od_delete_user.instigator.is_es_client`	`additional.fields[od_delete_user_instigator_is_es_client]`
`event.od_delete_user.instigator.group_id`	`additional.fields[od_delete_user_instigator_group_id]`
`event.od_delete_user.instigator.original_ppid`	`additional.fields[od_delete_user_instigator_original_pp]`
`event.od_delete_user.instigator.session_id`	`additional.fields[od_delete_user_instigator_session_id]`
`event.od_delete_user.user_name`	`target.user.userid`
`event.od_delete_user.instigator_token.euid`	`principal.user.userid`
`event.od_delete_user.db_path`	`additional.fields[od_delete_user_db_path]`
`event.od_delete_user.node_name`	`additional.fields[od_delete_user_node_name]`
`event.od_delete_user.error_code`	`additional.fields[od_delete_user_error_code]`
`event.od_disable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`

`event_type: od_disable_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_disable_user`.
	`metadata.description`	`A user has been disabled using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`.
`event.od_disable_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_disable_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_disable_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_disable_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_disable_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_disable_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_disable_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_disable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_disable_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_disable_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_disable_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_disable_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_disable_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_disable_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_disable_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_disable_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_disable_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_disable_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_disable_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_disable_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_disable_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_disable_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_disable_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_disable_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_disable_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_disable_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_disable_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_disable_user.instigator.codesigning_flags`	`additional.fields[od_disable_user_instigator_codesigning_flags]`
`event.od_disable_user.instigator.cdhash`	`additional.fields[od_disable_user_instigator_codesigning_flags]`
`event.od_disable_user.instigator.is_platform_binary`	`additional.fields[od_disable_user_instigator_is_platform_binary]`
`event.od_disable_user.instigator.is_es_client`	`additional.fields[od_disable_user_instigator_is_es_client]`
`event.od_disable_user.instigator.group_id`	`additional.fields[od_disable_user_instigator_group_id]`
`event.od_disable_user.instigator.original_ppid`	`additional.fields[od_disable_user_instigator_original_pp]`
`event.od_disable_user.instigator.session_id`	`additional.fields[od_disable_user_instigator_session_id]`
`event.od_disable_user.user_name`	`target.user.user_display_name`
`event.od_disable_user.instigator_token.euid`	`principal.user.userid`
`event.od_disable_user.db_path`	`additional.fields[od_disable_user_db_path]`
`event.od_disable_user.node_name`	`additional.fields[od_disable_user_node_name]`
`event.od_disable_user.error_code`	`additional.fields[od_disable_user_error_code]`

`event_type: od_enable_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_enable_user`.
	`metadata.description`	`A user has been enabled using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`.
`event.od_enable_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_enable_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_enable_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_enable_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_enable_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_enable_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_enable_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_enable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_enable_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_enable_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_enable_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_enable_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_enable_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_enable_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_enable_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_enable_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_enable_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_enable_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_enable_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_enable_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_enable_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_enable_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_enable_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_enable_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_enable_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_enable_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_enable_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_enable_user.instigator.signing_id`	`additional.fields[od_enable_user_instigator_signing_id]`
`event.od_enable_user.instigator.team_id`	`additional.fields[od_enable_user_instigator_team_id]`
`event.od_enable_user.instigator.ppid`	`additional.fields[od_enable_user_instigator_ppid]`
`event.od_enable_user.instigator.codesigning_flags`	`additional.fields[od_enable_user_instigator_codesigning_flags]`
`event.od_enable_user.instigator.cdhash`	`additional.fields[od_enable_user_instigator_cdhash]`
`event.od_enable_user.instigator.is_platform_binary`	`additional.fields[od_enable_user_instigator_is_platform_binary]`
`event.od_enable_user.instigator.is_es_client`	`additional.fields[od_enable_user_instigator_is_es_client]`
`event.od_enable_user.instigator.group_id`	`additional.fields[od_enable_user_instigator_group_id]`
`event.od_enable_user.instigator.original_ppid`	`additional.fields[od_enable_user_instigator_original_pp]`
`event.od_enable_user.instigator.session_id`	`additional.fields[od_enable_user_instigator_session_id]`
`event.od_enable_user.user_name`	`target.user.user_display_name`
`event.od_enable_user.instigator_token.euid`	`principal.user.userid`
`event.od_enable_user.db_path`	`additional.fields[od_enable_user_db_path]`
`event.od_enable_user.node_name`	`additional.fields[od_enable_user_node_name]`
`event.od_enable_user.error_code`	`additional.fields[od_enable_user_error_code]`

`event_type: od_group_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_add`.
	`metadata.description`	`A member has been added to a group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_add.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_add.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_add.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_add.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_add.instigator.signing_id`	`additional.fields[od_group_add_instigator_signing_id]`
`event.od_group_add.instigator.team_id`	`additional.fields[od_group_add_instigator_team_id]`
`event.od_group_add.instigator.ppid`	`additional.fields[od_group_add_instigator_ppid]`
`event.od_group_add.instigator.codesigning_flags`	`additional.fields[od_group_add_instigator_codesigning_flags]`
`event.od_group_add.instigator.cdhash`	`additional.fields[od_group_add_instigator_cdhash]`
`event.od_group_add.instigator.is_platform_binary`	`additional.fields[od_group_add_instigator_is_platform_binary]`
`event.od_group_add.instigator.is_es_client`	`additional.fields[od_group_add_instigator_is_es_client]`
`event.od_group_add.instigator.group_id`	`additional.fields[od_group_add_instigator_group_id]`
`event.od_group_add.instigator.original_ppid`	`additional.fields[od_group_add_instigator_original_pp]`
`event.od_group_add.instigator.session_id`	`additional.fields[od_group_add_instigator_session_id]`
`event.od_group_add.group_name`	`target.group.group_display_name`
`event.od_group_add.member.member_value`	`target.user.user_display_name`
`event.od_group_add.instigator_token.euid`	`principal.user.userid`
`event.od_group_add.db_path`	`additional.fields[od_group_add_db_path]`
`event.od_group_add.node_name`	`additional.fields[od_group_add_node_name]`
`event.od_group_add.error_code`	`additional.fields[od_group_add_error_code]`

`event_type: od_group_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_remove`.
	`metadata.description`	`A member has been removed from a group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_remove.instigator.signing_id`	`additional.fields[od_group_remove_instigator_signing_id]`
`event.od_group_remove.instigator.team_id`	`additional.fields[od_group_remove_instigator_team_id]`
`event.od_group_remove.instigator.ppid`	`additional.fields[od_group_remove_instigator_ppid]`
`event.od_group_remove.instigator.codesigning_flags`	`additional.fields[od_group_remove_instigator_codesigning_flags]`
`event.od_group_remove.instigator.cdhash`	`additional.fields[od_group_remove_instigator_cdhash]`
`event.od_group_remove.instigator.is_platform_binary`	`additional.fields[od_group_remove_instigator_is_platform_binary]`
`event.od_group_remove.instigator.is_es_client`	`additional.fields[od_group_remove_instigator_is_es_client]`
`event.od_group_remove.instigator.group_id`	`additional.fields[od_group_remove_instigator_group_id]`
`event.od_group_remove.instigator.original_ppid`	`additional.fields[od_group_remove_instigator_original_pp]`
`event.od_group_remove.instigator.session_id`	`additional.fields[od_group_remove_instigator_session_id]`
`event.od_group_remove.group_name`	`target.group.group_display_name`
`event.od_group_remove.member.member_value`	`target.user.user_display_name`
`event.od_group_remove.instigator_token.euid`	`principal.user.userid`
`event.od_group_remove.db_path`	`additional.fields[od_group_remove_db_path]`
`event.od_group_remove.node_name`	`additional.fields[od_group_remove_node_name]`
`event.od_group_remove.error_code`	`additional.fields[od_group_remove_error_code]`

`event_type: od_group_set`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_set`.
	`metadata.description`	`A group has a member initialized or replaced using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_set.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_set.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_set.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_set.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_set.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_set.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_set.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_set.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_set.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_set.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_set.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_set.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_set.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_set.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_set.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_set.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_set.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_set.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_set.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_set.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_set.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_set.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_set.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_set.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_set.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_set.instigator.signing_id`	`additional.fields[od_group_set_instigator_signing_id]`
`event.od_group_set.instigator.team_id`	`additional.fields[od_group_set_instigator_team_id]`
`event.od_group_set.instigator.ppid`	`additional.fields[od_group_set_instigator_ppid]`
`event.od_group_set.instigator.codesigning_flags`	`additional.fields[od_group_set_instigator_codesigning_flags]`
`event.od_group_set.instigator.cdhash`	`additional.fields[od_group_set_instigator_cdhash]`
`event.od_group_set.instigator.is_platform_binary`	`additional.fields[od_group_set_instigator_is_platform_binary]`
`event.od_group_set.instigator.is_es_client`	`additional.fields[od_group_set_instigator_is_es_client]`
`event.od_group_set.instigator.group_id`	`additional.fields[od_group_set_instigator_group_id]`
`event.od_group_set.instigator.original_ppid`	`additional.fields[od_group_set_instigator_original_pp]`
`event.od_group_set.instigator.session_id`	`additional.fields[od_group_set_instigator_session_id]`
`event.od_group_set.group_name`	`target.group.group_display_name`
`event.od_group_set.member.member_array`	`target.user.user_display_name`
`event.od_group_set.instigator_token.euid`	`principal.user.userid`
`event.od_group_set.db_path`	`additional.fields[od_group_set_db_path]`
`event.od_group_set.node_name`	`additional.fields[od_group_set_node_name]`
`event.od_group_set.error_code`	`additional.fields[od_group_set_error_code]`

`event_type: od_modify_password`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_modify_password`.
	`metadata.description`	`A group has a member initialized or replaced using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_CHANGE_PASSWORD`.
`event.od_modify_password.instigator.audit_token.euid`	`principal.process.euid`
`event.od_modify_password.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_modify_password.instigator.audit_token.egid`	`principal.process.egid`
`event.od_modify_password.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_modify_password.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_modify_password.instigator.audit_token.pid`	`principal.process.pid`
`event.od_modify_password.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_modify_password.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_modify_password.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_modify_password.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_modify_password.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_modify_password.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_modify_password.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_modify_password.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_modify_password.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_modify_password.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_modify_password.instigator.executable.path`	`principal.process.file.full_path`
`event.od_modify_password.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_modify_password.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_modify_password.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_modify_password.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_modify_password.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_modify_password.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_modify_password.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_modify_password.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_modify_password.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_modify_password.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_modify_password.instigator.signing_id`	`additional.fields[od_modify_password_instigator_signing_id]`
`event.od_modify_password.instigator.team_id`	`additional.fields[od_modify_password_instigator_team_id]`
`event.od_modify_password.instigator.ppid`	`additional.fields[od_modify_password_instigator_ppid]`
`event.od_modify_password.instigator.codesigning_flags`	`additional.fields[od_modify_password_instigator_codesigning_flags]`
`event.od_modify_password.instigator.cdhash`	`additional.fields[od_modify_password_instigator_cdhash]`
`event.od_modify_password.instigator.is_platform_binary`	`additional.fields[od_modify_password_instigator_is_platform_binary]`
`event.od_modify_password.instigator.is_es_client`	`additional.fields[od_modify_password_instigator_is_es_client]`
`event.od_modify_password.instigator.group_id`	`additional.fields[od_modify_password_instigator_group_id]`
`event.od_modify_password.instigator.original_ppid`	`additional.fields[od_modify_password_instigator_original_pp]`
`event.od_modify_password.instigator.session_id`	`additional.fields[od_modify_password_instigator_session_id]`
`event.od_modify_password.account_name`	`target.user.user_display_name`
`event.od_modify_password.instigator_token.euid`	`principal.user.userid`
`event.od_modify_password.db_path`	`additional.fields[od_modify_password_db_path]`
`event.od_modify_password.node_name`	`additional.fields[od_modify_password_node_name]`
`event.od_modify_password.error_code`	`additional.fields[od_modify_password_error_code]`

`event_type: openssh_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_login`.
	`metadata.description`	`A user has logged into the system via OpenSSH.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SSH`.
`event.openssh_login.source_address`	`src.ip`
`event.openssh_login.uid`	`target.user.userid`
`openssh_login.username`	`target.user.user_display_name`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.
`event.openssh_login.success`	`security_result.category`	If the `event.openssh_login.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: openssh_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A user has logged out of an OpenSSH session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SSH`.
`event.openssh_logout.source_address`	`src.ip`
`event.openssh_logout.uid`	`target.user.userid`
`openssh_logout.username`	`target.user.user_display_name`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.

`event_type: profile_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A configuration profile is installed on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SETTING_CREATION`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `SETTING`.
`event.profile_add.instigator.audit_token.euid`	`principal.process.euid`
`event.profile_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.profile_add.instigator.audit_token.egid`	`principal.process.egid`
`event.profile_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.profile_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.profile_add.instigator.audit_token.pid`	`principal.process.pid`
`event.profile_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.profile_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.profile_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.profile_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.profile_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.profile_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.profile_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.profile_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.profile_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.profile_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.profile_add.instigator.executable.path`	`principal.process.file.full_path`
`event.profile_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.profile_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.profile_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.profile_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.profile_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.profile_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.profile_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.profile_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.profile_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.profile_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.profile_add.instigator.signing_id`	`additional.fields[profile_add_instigator_signing_id]`
`event.profile_add.instigator.team_id`	`additional.fields[profile_add_instigator_team_id]`
`event.profile_add.instigator.ppid`	`additional.fields[profile_add_instigator_ppid]`
`event.profile_add.instigator.codesigning_flags`	`additional.fields[profile_add_instigator_codesigning_flags]`
`event.profile_add.instigator.cdhash`	`additional.fields[profile_add_instigator_cdhash]`
`event.profile_add.instigator.is_platform_binary`	`additional.fields[profile_add_instigator_is_platform_binary]`
`event.profile_add.instigator.is_es_client`	`additional.fields[profile_add_instigator_is_es_client]`
`event.profile_add.instigator.group_id`	`additional.fields[profile_add_instigator_group_id]`
`event.profile_add.instigator.original_ppid`	`additional.fields[profile_add_instigator_original_pp]`
`event.profile_add.instigator.session_id`	`additional.fields[profile_add_instigator_session_id]`
`event.profile_add.profile.scope`	`target.resource.resource_subtype`
`event.profile_add.profile.uuid`	`target.resource.product_object_id`
`event.profile_add.profile.display_name`	`target.resource.name`
`event.profile_add.is_update`	`additional.fields[profile_add_is_update]`
`event.profile_add.profile.identifier`	`additional.fields[profile_add_profile_identifier]`
`event.profile_add.profile.install_source`	`additional.fields[profile_add_profile_install_source]`
`event.profile_add.profile.organization`	`additional.fields[profile_add_profile_organization]`

`event_type: profile_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A configuration profile is removed from the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SETTING_DELETION`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `SETTING`.
`event.profile_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.profile_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.profile_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.profile_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.profile_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.profile_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.profile_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.profile_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.profile_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.profile_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.profile_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.profile_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.profile_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.profile_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.profile_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.profile_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.profile_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.profile_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.profile_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.profile_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.profile_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.profile_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.profile_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.profile_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.profile_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.profile_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.profile_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.profile_remove.instigator.signing_id`	`additional.fields[profile_remove_instigator_signing_id]`
`event.profile_remove.instigator.team_id`	`additional.fields[profile_remove_instigator_team_id]`
`event.profile_remove.instigator.ppid`	`additional.fields[profile_remove_instigator_ppid]`
`event.profile_remove.instigator.codesigning_flags`	`additional.fields[profile_remove_instigator_codesigning_flags]`
`event.profile_remove.instigator.cdhash`	`additional.fields[profile_remove_instigator_cdhash]`
`event.profile_remove.instigator.is_platform_binary`	`additional.fields[profile_remove_instigator_is_platform_binary]`
`event.profile_remove.instigator.is_es_client`	`additional.fields[profile_remove_instigator_is_es_client]`
`event.profile_remove.instigator.group_id`	`additional.fields[profile_remove_instigator_group_id]`
`event.profile_remove.instigator.original_ppid`	`additional.fields[profile_remove_instigator_original_pp]`
`event.profile_remove.instigator.session_id`	`additional.fields[profile_remove_instigator_session_id]`
`event.profile_remove.profile.scope`	`target.resource.resource_subtype`
`event.profile_remove.profile.uuid`	`target.resource.product_object_id`
`event.profile_remove.profile.display_name`	`target.resource.name`
`event.profile_remove.is_update`	`additional.fields[profile_remove_is_update]`
`event.profile_remove.profile.identifier`	`additional.fields[profile_remove_profile_identifier]`
`event.profile_remove.profile.install_source`	`additional.fields[profile_remove_profile_install_source]`
`event.profile_remove.profile.organization`	`additional.fields[profile_remove_profile_organization]`

`event_type: sudo`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `sudo`.
	`metadata.description`	`A sudo attempt occurred.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.sudo.reject_info.plugin_name`	`additional.fields[sudo_reject_info_plugin_name]`
`event.sudo.reject_info.failure_message`	`additional.fields[sudo_reject_info_failure_message]`
`event.sudo.reject_info.plugin_type`	`additional.fields[sudo_reject_info_plugin_type]`
`event.sudo.from_uid`	`principal.user.userid`
`event.sudo.from_username`	`principal.user.user_display_name`
`event.sudo.command`	`target.process.command_line`
`event.sudo.to_uid`	`target.user.userid`
`event.sudo.to_username`	`target.user.user_display_name`
`event.sudo.success`	`security_result.category`	If the `event.sudo.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: system_performance`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `system_performance`.
	`metadata.description`	`Event occurs on a regular interval to collect application performance data.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.performance.metrics.hw_model`	`additional.fields[performance_metrics_hw_model]`
`event.performance.page_info.page`	`additional.fields[performance_page_info_page]`
`udm.performance.page_info.total`	`additional.fields[performance_page_info_total]`
`event.performance.metrics.tasks.name`	`additional.fields[task_name]`
`event.performance.metrics.tasks.energy_impact`	`additional.fields[task_energy_impact]`

`event_type: unmount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `unmount`.
	`metadata.description`	`A file system has been unmounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.unmount.statfs.f_owner`	`target.user.userid`
`event.unmount.device.size`	`target.file.size`
`event.unmount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.unmount.statfs.f_mntfromname`	`target.resource.name`
`event.unmount.device.protocol`	`additional.fields[unmount_device_protocol]`
`event.unmount.device.serial_number`	`target.asset.hardware.serial_number`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.serial_number` log field is mapped to the `target.asset.hardware.serial_number` UDM field.
`event.unmount.device.device_model`	`target.asset.hardware.model`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.device_model` log field is mapped to the `target.asset.hardware.model` UDM field.
`event.unmount.device.vendor_name`	`target.asset.hardware.manudacturer`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.vendor_name` log field is mapped to the `target.asset.hardware.manufacturer` UDM field.

Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais do Google SecOps.

Coletar registros da Telemetria V2 do Jamf Protect

Antes de começar

Configurar um feed no Google SecOps para ingerir registros da telemetria V2 do Jamf Protect

Configurar um feed de ingestão no Google SecOps usando o Amazon S3

Configurar um feed de ingestão no Google SecOps usando um webhook

Criar uma chave de API para um feed de webhook

Configurar a telemetria V2 do Jamf Protect para um feed de webhook

Referência de mapeamento de campos

Referência de mapeamento de campos: identificador de evento para tipo de evento

Referência de mapeamento de campo: JAMF_TELEMETRY_V2 - Common Fields

Referência de mapeamento de campos: campos de rawlog para campos da UDM por event_type.

event_type: remount

event_type: screensharing_attach

event_type: su

event_type: settime

event_type: screensharing_detach

event_type: xp_malware_remediated

event_type: xp_malware_detected

event_type: authentication

event_type: btm_launch_item_add

event_type: btm_launch_item_remove

event_type: chroot

event_type: exec

event_type: file_collection

event_type: kextload

event_type: kextunload

event_type: log_collection

event_type: login_login

event_type: login_logout

event_type: lw_session_login

event_type: bios_uefi

event_type: cs_invalidated

event_type: gatekeeper_user_override

event_type: lw_session_unlock

event_type: lw_session_lock

event_type: lw_session_logout

event_type: mount

event_type: od_attribute_set

event_type: od_attribute_value_add

event_type: od_attribute_value_remove

event_type: od_create_group

event_type: od_delete_group

event_type: od_create_user

event_type: od_delete_user

event_type: od_disable_user

event_type: od_enable_user

event_type: od_group_add

event_type: od_group_remove

event_type: od_group_set

event_type: od_modify_password

event_type: openssh_login

event_type: openssh_logout

event_type: profile_add

event_type: profile_remove

event_type: sudo

event_type: system_performance

event_type: unmount