收集 Jamf Protect 遥测 V2 日志
支持的语言:
Google SecOps
SIEM
本文档介绍了如何通过设置 Google Security Operations Feed 来收集 Jamf Protect Telemetry V2 日志。其中详细介绍了 Jamf Protect Telemetry V2 日志字段与 Google SecOps 中的统一数据模型 (UDM) 字段的映射关系,并列出了受支持的 Jamf Protect Telemetry V2 版本。
如需了解详情,请参阅将数据提取到 Google SecOps。
典型部署包括 Jamf Protect Telemetry V2 和配置为将日志发送到 Google SecOps 的 Google SecOps Feed。每个客户部署都可能有所不同,并且可能更复杂。
部署包含以下组件:
Jamf Protect Telemetry V2。您要从中收集日志的 Jamf Protect Telemetry V2 平台。
Google SecOps 信息流。从 Jamf Protect 遥测数据中提取日志并将日志写入 Google SecOps 的 Google SecOps Feed。
Google SecOps。Google SecOps 会保留并分析 Jamf Protect Telemetry V2 中的日志。
每个日志都使用特定解析器归一化为统一数据模型 (UDM)。本文档中的信息适用于与 JAMF_TELEMETRY_V2 注入标签相关联的解析器。
准备工作
- 确保您已设置最新版本的 Jamf Protect Telemetry V2。
- 确保您使用的是 Jamf Protect 6.3.2 版或更高版本。
- 确保部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。
在 Google SecOps 中配置 Feed 以注入 Jamf Protect Telemetry V2 日志
您可以使用 Amazon S3 或 Webhook 在 Google SecOps 中设置提取 Feed,但我们建议使用 Amazon S3。
使用 Amazon S3 在 Google SecOps 中设置注入 Feed
- 依次前往 SIEM 设置 > Feed。
- 点击 Add New(新增)。
- 选择 Amazon S3 作为来源类型。
- 选择 Jamf Protect 遥测 V2 作为日志类型,以创建 Jamf Protect 遥测 V2 的 Feed。
- 点击下一步。
- 配置以下输入参数:
- S3 URI:指向 S3 容器的 URI。
- URI 是:URI 指示的对象类型。
- 源删除选项:是否在转移后删除文件或目录。
- 选择访问密钥或密钥访问密钥:选择相应的凭据类型。
- 密钥/令牌:用于访问 S3 资源的共享密钥或 SAS 令牌。
- 点击下一步,然后点击提交。
- 从 Feed 名称中复制 Feed ID,以便在 Jamf Protect Telemetry V2 中使用。
使用 Webhook 在 Google SecOps 中设置注入 Feed
- 依次前往 SIEM 设置 > Feed。
- 点击新增。
- 在Feed 名称字段中,输入 Feed 的名称。
- 在来源类型列表中,选择 Webhook。
- 选择 Jamf Protect 遥测 V2 作为日志类型,以创建 Jamf Protect 遥测 V2 的 Feed。
- 点击下一步。
- 可选:为以下输入参数指定值:
- 拆分分隔符:用于分隔日志行的分隔符,例如
\n。 - 资源命名空间:资源命名空间。
- 注入标签:要应用于此 Feed 中事件的标签。
- 拆分分隔符:用于分隔日志行的分隔符,例如
- 点击下一步。
- 在最终确定界面中查看新的 Feed 配置,然后点击提交。
- 点击生成密钥,生成用于对此 Feed 进行身份验证的密钥。
- 复制并妥善存储密钥。您将无法再次查看此密钥。如果需要,您可以重新生成新的密钥,但此操作会使之前的密钥失效。
- 在详情标签页中,从端点信息字段复制 Feed 端点网址。您需要使用此 HTTPS 网址来设置 Jamf Protect Telemetry V2 客户端应用。
- 点击完成。
为网络钩子 Feed 创建 API 密钥
依次前往 Google Cloud 控制台 > 凭据。
点击创建凭据,然后选择 API 密钥。
将 API 密钥访问权限限制为 Google Security Operations API。
为网络钩子 Feed 设置 Jamf Protect Telemetry V2
- 在 Jamf Protect Telemetry V2 应用中,前往相关的操作配置。
- 点击 Create Actions 以添加新的数据端点。
- 选择 HTTP 作为协议。
- 在网址字段中,输入 Google Security Operations API 端点的 HTTPS 网址。(这是您从网络钩子 Feed 设置中复制的端点信息字段。它已经采用所需格式。)
通过在自定义标头中指定 API 密钥和密钥来启用身份验证,格式如下:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRET建议:将 API 密钥指定为标头,而不是在网址中指定。如果您的 Webhook 客户端不支持自定义标头,您可以使用以下格式的查询参数指定 API 密钥和密钥:
ENDPOINT_URL?key=API_KEY&secret=SECRET替换以下内容:
ENDPOINT_URL:Feed 端点网址。API_KEY:用于向 Google Security Operations 进行身份验证的 API 密钥。SECRET:您生成的用于对 Feed 进行身份验证的密钥。
在收集日志部分,选择遥测。
点击提交。
如需详细了解 Google SecOps Feed,请参阅 Google SecOps Feed 文档。如需了解每种 Feed 类型的要求,请参阅按类型划分的 Feed 配置。
如果您在创建 Feed 时遇到问题,请与 Google SecOps 支持团队联系。
字段映射参考
本部分介绍 Google SecOps 解析器如何将 Jamf Protect Telemetry V2 字段映射到 Google SecOps Unified Data Model (UDM) 字段。
字段映射参考信息:事件标识符到事件类型
下表列出了JAMF_TELEMETRY_V2 日志类型及其对应的 UDM 事件类型。
| Event Identifier | Event Type |
|---|---|
authentication |
USER_LOGIN |
bios_uefi |
STATUS_UPDATE |
btm_launch_item_add |
PROCESS_LAUNCH |
btm_launch_item_remove |
PROCESS_TERMINATION |
chroot |
FILE_MODIFICATION |
cs_invalidated |
STATUS_UPDATE |
exec |
PROCESS_LAUNCH |
file_collection |
STATUS_UPDATE |
gatekeeper_user_override |
STATUS_UPDATE |
kextload |
STATUS_UPDATE |
kextunload |
STATUS_UPDATE |
log_collection |
STATUS_UPDATE |
login_login |
USER_LOGIN |
login_logout |
USER_LOGOUT |
lw_session_lock |
USER_LOGOUT |
lw_session_login |
USER_LOGIN |
lw_session_logout |
USER_LOGOUT |
lw_session_unlock |
USER_LOGIN |
mount |
STATUS_UPDATE |
od_attribute_set |
USER_RESOURCE_UPDATE_CONTENT |
od_attribute_value_add |
STATUS_UPDATE |
od_attribute_value_remove |
USER_RESOURCE_DELETION |
od_create_group |
GROUP_CREATION |
od_create_user |
USER_CREATION |
od_delete_group |
GROUP_DELETION |
od_delete_user |
USER_DELETION |
od_disable_user |
USER_UNCATEGORIZED |
od_enable_user |
USER_UNCATEGORIZED |
od_group_add |
GROUP_MODIFICATION |
od_group_remove |
GROUP_MODIFICATION |
od_group_set |
GROUP_MODIFICATION |
od_modify_password |
USER_CHANGE_PASSWORD |
openssh_login |
USER_LOGIN |
openssh_logout |
USER_LOGOUT |
sudo |
STATUS_UPDATE |
system_performance |
STATUS_UPDATE |
unmount |
STATUS_UPDATE |
profile_add |
SETTING_CREATION |
profile_remove |
SETTING_DELETION |
remount |
RESOURCE_CREATION |
screensharing_attach |
USER_LOGIN |
screensharing_detach |
USER_LOGOUT |
settime |
STATUS_UPDATE |
su |
USER_LOGIN |
xp_malware_detected |
SCAN_FILE |
xp_malware_remediated |
SCAN_FILE |
字段映射参考信息:JAMF_TELEMETRY_V2 - 通用字段
下表列出了 JAMF_TELEMETRY_V2 日志类型的常见字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
action.result.result.auth |
security_result.action |
If the **event_type** log field value is < `8000`, and not equal to `113` or `112`, and the **action.result.result.auth** field is equal to **1**, then set `security_result.action` to **BLOCK**. Else, set `security_result.action` to **ALLOW** |
|
principal.platform |
The principal.platform UDM field is set to MAC. |
uuid |
metadata.product_log_id |
|
time |
metadata.event_timestamp |
|
metadata.product |
metadata.product_name |
|
host.protectVersion |
metadata.product_version |
|
metadata.vendor |
metadata.vendor_name |
|
host.hostname |
principal.asset.hostname |
|
host.os |
principal.platform_version |
|
host.provisioningUDID |
principal.asset_id |
|
host.serial |
principal.asset.hardware.serial_number |
|
host.ips |
principal.ip |
Iterate through log field host.ips, then host.ips log field is mapped to the principal.ip UDM field. |
event_type |
additional.fields[event_type] |
|
global_seq_num |
additional.fields[global_seq_num] |
|
process.executable.path |
src.process.file.full_path |
|
process.executable.stat.st_dev |
src.process.file.stat_dev |
|
process.executable.stat.st_flags |
src.process.file.stat_flags |
|
process.executable.stat.st_ino |
src.process.file.stat_inode |
|
process.executable.stat.st_mode |
src.process.file.stat_mode |
|
process.executable.stat.st_mtimespec |
src.process.file.last_modification_time |
|
process.executable.stat.st_atimespec |
src.process.file.last_access_time |
|
process.executable.stat.st_nlink |
src.process.file.stat_nlink |
|
process.executable.stat.st_size |
src.process.file.size |
|
process.executable.sha256 |
src.process.file.sha256 |
|
process.executable.sha1 |
src.process.file.sha1 |
|
process.signing_id |
src.process.file.signature_info.codesign.id |
|
process.team_id |
additional.fields[process_team_id] |
|
process.ppid |
additional.fields[process_ppid] |
|
process.codesigning_flags |
additional.fields[process_codesigning_flags] |
|
process.cdhash |
additional.fields[process_cdhash] |
|
process.is_platform_binary |
additional.fields[process_is_platform_binary] |
|
process.is_es_client |
additional.fields[process_is_es_client] |
|
process.group_id |
additional.fields[process_group_id] |
|
process.original_ppid |
additional.fields[process_original_ppid] |
|
process.session_id |
additional.fields[process_session_id] |
|
thread.uuid |
additional.fields[thread_uuid] |
|
thread.thread_id |
additional.fields[thread_id] |
|
seq_num |
additional.fields[seq_num] |
|
mach_time |
additional.fields[mach_time] |
|
version |
additional.fields[version] |
|
process.audit_token.euid |
src.process.euid |
|
process.audit_token.ruid |
src.process.ruid |
|
process.audit_token.egid |
src.process.egid |
|
process.audit_token.rgid |
src.process.rgid |
|
process.audit_token.pgid |
src.process.pgid |
|
process.audit_token.pid |
src.process.pid |
|
process.audit_token.uuid |
src.process.product_specific_process_id |
|
process.audit_token.signing_id |
additional.fields[process_audit_token_signing_id] |
|
process.parent_audit_token.euid |
src.process.parent_process.euid |
|
process.parent_audit_token.ruid |
src.process.parent_process.ruid |
|
process.parent_audit_token.egid |
src.process.parent_process.egid |
|
process.parent_audit_token.rgid |
src.process.parent_process.rgid |
|
process.parent_audit_token.pgid |
src.process.parent_process.pgid |
|
process.parent_audit_token.pid |
src.process.parent_process.pid |
|
process.parent_audit_token.uuid |
src.process.parent_process.product_specific_process_id |
|
process.parent_audit_token.signing_id |
src.process.parent_process.file.signature_info.codesign.id |
字段映射参考信息:通过 event_type 将原始日志字段映射到 UDM 字段。
event_type: remount
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to remount. |
|
metadata.description |
A file system has been remounted. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to RESOURCE_CREATION. |
|
principal.user.userid |
The principal.user.userid UDM field is set to null. |
event.remount.statfs.f_owner |
target.user.userid |
|
event.remount.device.size |
target.file.size |
|
event.remount.statfs.f_fstypename |
target.resource.resource_subtype |
|
event.remount.statfs.f_mntfromname |
src.resource.name |
|
event.remount.statfs.f_mntonname |
target.resource.name |
event_type: screensharing_attach
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to screensharing_attach. |
|
metadata.description |
A screen sharing session has attached to a graphical session. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
event.screensharing_attach.source_address |
src.ip |
|
event.screensharing_attach.authentication_username |
target.user.user_display_name |
|
event.screensharing_attach.session_username |
principal.user.user_display_name |
|
event.screensharing_attach.viewer_appleid |
additional.fields[screensharing_attach.viewer_appleid] |
|
|
extensions.auth.mechanism |
The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE. |
|
security_result.category |
If the event.screensharing_attach.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION. |
event_type: su
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to su. |
|
metadata.description |
A user attempts to start a new shell using a substitute user identity. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE. |
event.su.argv |
target.process.command_line |
If the event.su.argc log field value is not equal to 0 then,iterate through log field event.su.argv, then event.su.argv log field is mapped to the target.process.command_line UDM field. |
event.su.to_uid |
target.user.userid |
|
event.su.to_username |
target.user.user_display_name |
|
event.su.from_uid |
principal.user.userid |
|
event.su.from_username |
principal.user.user_display_name |
event_type: settime
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to settime. |
|
metadata.description |
The system time was attempted to be set. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event_type: screensharing_detach
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to screensharing_detach. |
|
metadata.description |
A screen sharing session has detached from a graphical session. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT. |
|
target.user.user_display_name |
The target.user.user_display_name UDM field is set to null. |
event.screensharing_detach.source_address |
src.ip |
|
|
extensions.auth.mechanism |
The extensions.auth.mechanism UDM field is set to mechanism. |
event_type: xp_malware_remediated
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to xp_malware_remediated. |
|
metadata.description |
Apple's XProtect remediated malware on the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_FILE. |
action.result.result.auth |
security_result.action |
|
event.xp_malware_remediated.remediated_path |
target.file.full_path |
|
event.xp_malware_remediated.action_type |
additional.fields[xp_malware_remediated.action_type] |
|
event.xp_malware_remediated.success |
additional.fields[xp_malware_remediated.success] |
|
event.xp_malware_remediated.incident_identifier |
security_result.threat_id |
|
event.xp_malware_remediated.malware_identifier |
security_result.threat_name |
|
event.xp_malware_remediated.signature_version |
security_result.rule_id |
event_type: xp_malware_detected
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to xp_malware_detected. |
|
metadata.description |
Apple's XProtect detected malware on the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_FILE. |
action.result.result.auth |
security_result.action |
|
event.xp_malware_detected.detected_path |
target.file.full_path |
|
event.xp_malware_detected.incident_identifier |
security_result.threat_id |
|
event.xp_malware_detected.malware_identifier |
security_result.threat_name |
event_type: authentication
| Log field | UDM mapping | Logic |
|---|---|---|
|
Check additional fields in conf |
|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to authentication. |
|
metadata.description |
A user authentication has occurred. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
event.authentication.data.od.instigator.audit_token.pid |
principal.process.pid |
|
event.authentication.data.od.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
JamfProtect:%{event.authentication.data.od.instigator.audit_token.uuid} log field is mapped to the principal.process.product_specific_process_id UDM field. |
event.authentication.data.od.instigator.audit_token.euid |
principal.process.euid |
|
event.authentication.data.od.instigator.audit_token.ruid |
principal.process.ruid |
|
event.authentication.data.od.instigator.audit_token.rgid |
principal.process.rgid |
|
event.authentication.data.od.instigator.audit_token.pgid |
principal.process.pgid |
|
event.authentication.data.od.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.authentication.data.od.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.authentication.data.od.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.authentication.data.od.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.authentication.data.od.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.authentication.data.od.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.authentication.data.od.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.authentication.data.od.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
JamfProtect:%{event.authentication.data.od.instigator.parent_audit_token.uuid} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
event.authentication.data.od.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.authentication.data.od.instigator.executable.path |
principal.process.file.full_path |
|
event.authentication.data.od.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.authentication.data.od.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.authentication.data.od.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.authentication.data.od.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.authentication.data.od.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.authentication.data.od.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.authentication.data.od.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.authentication.data.od.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.authentication.data.od.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.authentication.data.od.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.authentication.data.od.instigator.signing_id |
additional.fields[authentication_data_od_instigator_signing_id] |
|
event.authentication.data.od.instigator.team_id |
additional.fields[authentication_data_od_instigator_team_id] |
|
event.authentication.data.od.instigator.ppid |
rincipal.process.parent_process.pid |
|
event.authentication.data.od.instigator.codesigning_flags |
additional.fields[codesigning_flags] |
|
event.authentication.data.od.instigator.cdhash |
additional.fields[cdhash] |
|
event.authentication.data.od.instigator.is_platform_binary |
additional.fields[is_platform_binary] |
|
event.authentication.data.od.instigator.is_es_client |
additional.fields[is_es_client] |
|
event.authentication.data.od.instigator.group_id |
additional.fields[group_id] |
|
event.authentication.data.od.instigator.original_ppid |
additional.fields[original_ppid] |
|
event.authentication.data.od.instigator.session_id |
additional.fields[session_id] |
|
event.authentication.data.touchid.instigator.audit_token.euid |
principal.process.euid |
|
event.authentication.data.touchid.instigator.audit_token.ruid |
principal.process.ruid |
|
event.authentication.data.touchid.instigator.audit_token.egid |
principal.process.egid |
|
event.authentication.data.touchid.instigator.audit_token.rgid |
principal.process.rgid |
|
event.authentication.data.touchid.instigator.audit_token.pgid |
principal.process.pgid |
|
event.authentication.data.touchid.instigator.audit_token.pid |
principal.process.pid |
|
event.authentication.data.touchid.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.authentication.data.touchid.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.authentication.data.touchid.instigator.parent_audit_token.euid |
principal.parent_process.parent_process.euid |
|
event.authentication.data.touchid.instigator.parent_audit_token.ruid |
principal.parent_process.parent_process.ruid |
|
event.authentication.data.touchid.instigator.parent_audit_token.egid |
principal.parent_process.parent_process.egid |
|
event.authentication.data.touchid.instigator.parent_audit_token.rgid |
principal.parent_process.parent_process.rgid |
|
event.authentication.data.touchid.instigator.parent_audit_token.pgid |
principal.parent_process.parent_process.pgid |
|
event.authentication.data.touchid.instigator.parent_audit_token.pid |
principal.parent_process.parent_process.pid |
|
event.authentication.data.touchid.instigator.parent_audit_token.uuid |
principal.parent_process.product_specific_process_id |
|
event.authentication.data.touchid.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.authentication.data.touchid.instigator.executable.path |
principal.process.file.full_path |
|
event.authentication.data.touchid.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.authentication.data.touchid.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.authentication.data.touchid.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.authentication.data.touchid.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.authentication.data.touchid.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.authentication.data.touchid.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.authentication.data.touchid.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.authentication.data.touchid.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.authentication.data.touchid.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.authentication.data.touchid.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.authentication.data.touchid.instigator.signing_id |
additional.fields[authentication_data_touch_id_instigator_signing_id] |
|
event.authentication.data.touchid.instigator.team_id |
additional.fields[authentication_data_touch_id_instigator_team_id] |
|
event.authentication.data.touchid.instigator.ppid |
additional.fields[authentication_data_touch_id_instigator_ppid] |
|
event.authentication.data.touchid.instigator.codesigning_flags |
additional.fields[touchid_instigator_codesigning_flags] |
|
event.authentication.data.touchid.instigator.cdhash |
additional.fields[touchid_instigator_cdhash] |
|
event.authentication.data.touchid.instigator.is_platform_binary |
additional.fields[touchid_instigator_is_platform_binary] |
|
event.authentication.data.touchid.instigator.is_es_client |
additional.fields[touchid_instigator_is_es_client] |
|
event.authentication.data.touchid.instigator.group_id |
additional.fields[touchid_instigator_group_id] |
|
event.authentication.data.touchid.instigator.original_ppid |
additional.fields[touchid_instigator_original_ppid] |
|
event.authentication.data.touchid.instigator.session_id |
additional.fields[touchid_instigator_session_id] |
|
event.authentication.data.token.instigator.audit_token.euid |
principal.process.euid |
|
event.authentication.data.token.instigator.audit_token.ruid |
principal.process.ruid |
|
event.authentication.data.token.instigator.audit_token.egid |
principal.process.egid |
|
event.authentication.data.token.instigator.audit_token.rgid |
principal.process.rgid |
|
event.authentication.data.token.instigator.audit_token.pgid |
principal.process.pgid |
|
event.authentication.data.token.instigator.audit_token.pid |
principal.process.pid |
|
event.authentication.data.token.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.authentication.data.token.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.authentication.data.token.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.authentication.data.token.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.authentication.data.token.instigator.parent_audit_token.egid |
process.parent_process.egid |
|
event.authentication.data.token.instigator.parent_audit_token.rgid |
process.parent_process.rgid |
|
event.authentication.data.token.instigator.parent_audit_token.pgid |
process.parent_process.pgid |
|
event.authentication.data.token.instigator.parent_audit_token.pid |
process.parent_process.pid |
|
event.authentication.data.token.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.authentication.data.token.instigator.parent_audit_token.signing_id |
process.parent_process.file.signature_info.codesign.id |
|
event.authentication.data.token.instigator.executable.path |
principal.process.file.full_path |
|
event.authentication.data.token.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.authentication.data.token.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.authentication.data.token.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.authentication.data.token.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.authentication.data.token.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.authentication.data.token.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.authentication.data.token.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.authentication.data.token.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.authentication.data.token.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.authentication.data.token.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.authentication.data.token.instigator.signing_id |
additional.fields[authentication_data_token_instigator_signing_id] |
|
event.authentication.data.token.instigator.team_id |
additional.fields[authentication_data_token_instigator_team_id] |
|
event.authentication.data.token.instigator.ppid |
additional.fields[authentication_data_token_instigator_ppid] |
|
event.authentication.data.token.instigator.codesigning_flags |
additional.fields[instigator_codesigning_flags] |
|
event.authentication.data.token.instigator.cdhash |
additional.fields[instigator_cdhash] |
|
event.authentication.data.token.instigator.is_platform_binary |
additional.fields[instigator_is_platform_binary] |
|
event.authentication.data.token.instigator.is_es_client |
additional.fields[instigator_is_es_client] |
|
event.authentication.data.token.instigator.group_id |
additional.fields[instigator_group_id] |
|
event.authentication.data.token.instigator.original_ppid |
additional.fields[instigator_original_ppid] |
|
event.authentication.data.token.instigator.session_id |
additional.fields[instigator_session_id] |
|
event.authentication.data.od.record_name |
target.user.user_display_name |
|
event.authentication.data.od.db_path |
additional.fields[db_path] |
|
event.authentication.data.od.node_name |
additional.fields[node_name] |
|
event.authentication.data.od.record_type |
additional.fields[record_type] |
|
event.authentication.data.touchid.uid |
target.user.userid |
|
event.authentication.data.touchid.touchid_mode |
additional.fields[authentication_data_touchid_touchid_mode] |
|
event.authentication.data.token.pubkey_hash |
additional.fields[authentication_data_token_pubkey_hash] |
|
event.authentication.data.token.token_id |
additional.fields[authentication_data_token_token_id] |
|
event.authentication.data.token.kerberos_principal |
additional.fields[authentication_data_token_kerberos_principal] |
|
event.authentication.data.auto_unlock.username |
target.user.user_display_name |
|
event.authentication.data.auto_unlock.type |
additional.fields[authentication_data_auto_unlock_type] |
|
event.authentication.type |
extensions.auth.mechanism |
If the event.authentication.type log field value is equal to 0 then, the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD.Else If the event.authentication.type log field value is equal to 1 then, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER.Else If the event.authentication.type log field value is equal to 2 then, the extensions.auth.mechanism UDM field is set to HARDWARE_KEY. Else, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER. |
event.authentication.success |
security_result.category |
If the event.authentication.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION. |
event_type: btm_launch_item_add
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to btm_launch_item_add. |
|
metadata.description |
Apple's Background Task Manager notifies that a new persistence item has been added. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to PROCESS_LAUNCH. |
event.btm_launch_item_add.instigator.audit_token.euid |
principal.process.euid |
|
event.btm_launch_item_add.instigator.audit_token.ruid |
principal.process.ruid |
|
event.btm_launch_item_add.instigator.audit_token.egid |
principal.process.egid |
|
event.btm_launch_item_add.instigator.audit_token.rgid |
principal.process.rgid |
|
event.btm_launch_item_add.instigator.audit_token.pgid |
principal.process.pgid |
|
event.btm_launch_item_add.instigator.audit_token.pid |
principal.process.pid |
|
event.btm_launch_item_add.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.btm_launch_item_add.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.btm_launch_item_add.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.btm_launch_item_add.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.btm_launch_item_add.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.btm_launch_item_add.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.btm_launch_item_add.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.btm_launch_item_add.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.btm_launch_item_add.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.btm_launch_item_add.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.btm_launch_item_add.instigator.executable.path |
principal.process.file.full_path |
|
event.btm_launch_item_add.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.btm_launch_item_add.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.btm_launch_item_add.instigator.executable.stat.stat_inode |
principal.process.file.stat_inode |
|
event.btm_launch_item_add.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.btm_launch_item_add.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.btm_launch_item_add.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.btm_launch_item_add.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.btm_launch_item_add.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.btm_launch_item_add.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.btm_launch_item_add.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.btm_launch_item_add.instigator.signing_id |
additional.fields[btm_launch_item_add_data_token_instigator_signing_id] |
|
event.btm_launch_item_add.instigator.team_id |
additional.fields[btm_launch_item_add_data_token_instigator_team_id] |
|
event.btm_launch_item_add.instigator.ppid |
additional.fields[btm_launch_item_add_data_token_instigator_ppid] |
|
event.btm_launch_item_add.instigator.codesigning_flags |
additional.fields[btm_launch_item_add_instigator_codesigning_flags] |
|
event.btm_launch_item_add.instigator.cdhash |
additional.fields[btm_launch_item_add_instigator_cdhash] |
|
event.btm_launch_item_add.instigator.is_platform_binary |
additional.fields[btm_launch_item_add_instigator_is_platform_binary] |
|
event.btm_launch_item_add.instigator.is_es_client |
additional.fields[btm_launch_item_add_instigator_is_es_client] |
|
event.btm_launch_item_add.instigator.group_id |
additional.fields[btm_launch_item_add_instigator_group_id] |
|
event.btm_launch_item_add.instigator.original_ppid |
additional.fields[btm_launch_item_add_instigator_original_ppid] |
|
event.btm_launch_item_add.instigator.session_id |
additional.fields[btm_launch_item_add_instigator_session_id] |
|
event.btm_launch_item_add.app.audit_token.euid |
target.process.euid |
|
event.btm_launch_item_add.app.audit_token.ruid |
target.process.ruid |
|
event.btm_launch_item_add.app.audit_token.egid |
target.process.egid |
|
event.btm_launch_item_add.app.audit_token.rgid |
target.process.rgid |
|
event.btm_launch_item_add.app.audit_token.pgid |
target.process.pgid |
|
event.btm_launch_item_add.app.audit_token.pid |
target.process.pid |
|
event.btm_launch_item_add.app.audit_token.uuid |
target.process.product_specific_process_id |
|
event.btm_launch_item_add.app.audit_token.signing_id |
target.process.file.signature_info.codesign.id |
|
event.btm_launch_item_add.app.parent_audit_token.euid |
target.process.parent_process.euid |
|
event.btm_launch_item_add.app.parent_audit_token.ruid |
target.process.parent_process.ruid |
|
event.btm_launch_item_add.app.parent_audit_token.egid |
target.process.parent_process.egid |
|
event.btm_launch_item_add.app.parent_audit_token.rgid |
target.process.parent_process.rgid |
|
event.btm_launch_item_add.app.parent_audit_token.pid |
target.process.parent_process.pid |
|
event.btm_launch_item_add.app.parent_audit_token.uuid |
target.process.parent_process.product_specific_process_id |
|
event.btm_launch_item_add.app.parent_audit_token.signing_id |
target.process.parent_process.file.signature_info.codesign.id |
|
event.btm_launch_item_add.app.executable.path |
target.process.file.full_path |
|
event.btm_launch_item_add.app.executable.stat.st_dev |
target.process.file.stat_dev |
|
event.btm_launch_item_add.app.executable.stat.st_flags |
target.process.file.stat_flags |
|
event.btm_launch_item_add.app.executable.stat.st_ino |
target.process.file.stat_inode |
|
event.btm_launch_item_add.app.executable.stat.st_mode |
target.process.file.stat_mode |
|
event.btm_launch_item_add.app.executable.stat.st_mtimespec |
target.process.file.last_modification_time |
|
event.btm_launch_item_add.app.executable.stat.st_atimespec |
target.process.file.last_access_time |
|
event.btm_launch_item_add.app.executable.stat.st_nlink |
target.process.file.stat_nlink |
|
event.btm_launch_item_add.app.executable.stat.st_size |
target.process.file.size |
|
event.btm_launch_item_add.app.executable.sha256 |
target.process.file.sha256 |
|
event.btm_launch_item_add.app.executable.sha1 |
target.process.file.sha1 |
|
event.btm_launch_item_add.app.signing_id |
additional.fields[btm_launch_item_add_app_signing_id] |
|
event.btm_launch_item_add.app.team_id |
additional.fields[btm_launch_item_add_app_team_id] |
|
event.btm_launch_item_add.app.ppid |
additional.fields[btm_launch_item_add_app_ppid] |
|
event.btm_launch_item_add.app.codesigning_flags |
additional.fields[btm_launch_item_add_app_codesigning_flags] |
|
event.btm_launch_item_add.app.cdhash |
additional.fields[btm_launch_item_add_app_cdhash] |
|
event.btm_launch_item_add.app.is_platform_binary |
additional.fields[btm_launch_item_add_app_is_platform_binary] |
|
event.btm_launch_item_add.app.is_es_client |
additional.fields[btm_launch_item_add_app_is_es_client] |
|
event.btm_launch_item_add.app.group_id |
additional.fields[btm_launch_item_add_app_group_id] |
|
event.btm_launch_item_add.app.original_ppid |
additional.fields[btm_launch_item_add_app_group_id] |
|
event.btm_launch_item_add.app.session_id |
additional.fields[btm_launch_item_add_app_session_id] |
|
event.btm_launch_item_add.executable_path |
target.file.full_path |
If the event.btm_launch_item_add.item.item_type log field value is equal to 4 or the event.btm_launch_item_add.item.item_type log field value is equal to 3 and if the event.btm_launch_item_add.executable_path log field value is not empty and if the event.btm_launch_item_add.executable_path log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.executable_path log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_add.executable_path log field is mapped to the target.file.full_path UDM field. Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.executable_path} log field is mapped to the target.file.full_path UDM field.Else If the event.btm_launch_item_add.item.item_url log field value is not empty and if the event.btm_launch_item_add.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_add.item.item_url log field is mapped to the target.resource.name UDM field. Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url} log field is mapped to the target.resource.name UDM field. |
event.btm_launch_item_add.item.item_url |
target.file.full_path |
If the event.btm_launch_item_add.item.item_type log field value is equal to 0 or the event.btm_launch_item_add.item.item_type log field value is equal to 1 or the event.btm_launch_item_add.item.item_type log field value is equal to 2 and if the event.btm_launch_item_add.item.item_url log field value is not empty and if the event.btm_launch_item_add.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then the event.btm_launch_item_add.item.item_url log field is mapped to the target.file.full_path UDM field. Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url} log field is mapped to the target.file.full_path UDM field. |
event.btm_launch_item_add.item.uid |
target.user.userid |
|
event.btm_launch_item_add.item.item_type |
target.application |
If the event.btm_launch_item_add.item.item_type log field value is equal to 0 then, the target.application UDM field is set to USER_ITEM. Else, if event.btm_launch_item_add.item.item_type log field value is equal to 1 then, the target.application UDM field is set to APP. Else, if event.btm_launch_item_add.item.item_type log field value is equal to 2 then, the target.application UDM field is set to LOGIN_ITEM. Else, if event.btm_launch_item_add.item.item_type log field value is equal to 3 then, the target.application UDM field is set to AGENT. Else, if event.btm_launch_item_add.item.item_type log field value is equal to 4 then, the target.application UDM field is set to DAEMON. |
event.btm_launch_item_add.item.managed |
additional.fields[btm_launch_item_add_item_managed] |
|
event.btm_launch_item_add.item.legacy |
additional.fields[btm_launch_item_add_item_legacy] |
event_type: btm_launch_item_remove
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to btm_launch_item_remove. |
|
metadata.description |
Apple's Background Task Manager notified that an item has been removed. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to PROCESS_TERMINATION. |
event.btm_launch_item_remove.instigator.audit_token.euid |
principal.process.euid |
|
event.btm_launch_item_remove.instigator.audit_token.ruid |
principal.process.ruid |
|
event.btm_launch_item_remove.instigator.audit_token.egid |
principal.process.egid |
|
event.btm_launch_item_remove.instigator.audit_token.rgid |
principal.process.rgid |
|
event.btm_launch_item_remove.instigator.audit_token.pgid |
principal.process.pgid |
|
event.btm_launch_item_remove.instigator.audit_token.pid |
principal.process.pid |
|
event.btm_launch_item_remove.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.btm_launch_item_remove.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.btm_launch_item_remove.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.btm_launch_item_remove.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.btm_launch_item_remove.instigator.executable.path |
principal.process.file.full_path |
|
event.btm_launch_item_remove.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.btm_launch_item_remove.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.btm_launch_item_remove.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.btm_launch_item_remove.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.btm_launch_item_remove.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.btm_launch_item_remove.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.btm_launch_item_remove.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.btm_launch_item_remove.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.btm_launch_item_remove.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.btm_launch_item_remove.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.btm_launch_item_remove.instigator.codesigning_flags |
additional.fields[btm_launch_item_remove_instigator_codesigning_flags] |
|
event.btm_launch_item_remove.instigator.cdhash |
additional.fields[btm_launch_item_remove_instigator_cdhash] |
|
event.btm_launch_item_remove.instigator.is_es_client |
additional.fields[btm_launch_item_remove_instigator_is_es_client] |
|
event.btm_launch_item_remove.instigator.group_id |
additional.fields[btm_launch_item_remove_instigator_group_id] |
|
event.btm_launch_item_remove.instigator.original_ppid |
additional.fields[btm_launch_item_remove_instigator_original_ppid] |
|
event.btm_launch_item_remove.instigator.session_id |
additional.fields[btm_launch_item_remove_instigator_session_id] |
|
event.btm_launch_item_remove.app.audit_token.euid |
target.process.euid |
|
event.btm_launch_item_remove.app.audit_token.ruid |
target.process.ruid |
|
event.btm_launch_item_remove.app.audit_token.egid |
target.process.egid |
|
event.btm_launch_item_remove.app.audit_token.rgid |
target.process.rgid |
|
event.btm_launch_item_remove.app.audit_token.pgid |
target.process.pgid |
|
event.btm_launch_item_remove.app.audit_token.pid |
target.process.pid |
|
event.btm_launch_item_remove.app.audit_token.uuid |
target.process.product_specific_process_id |
|
event.btm_launch_item_remove.app.audit_token.signing_id |
target.process.file.signature_info.codesign.id |
|
event.btm_launch_item_remove.app.parent_audit_token.euid |
target.process.parent_process.euid |
|
event.btm_launch_item_remove.app.parent_audit_token.ruid |
target.process.parent_process.ruid |
|
event.btm_launch_item_remove.app.parent_audit_token.egid |
target.process.parent_process.egid |
|
event.btm_launch_item_remove.app.parent_audit_token.rgid |
target.process.parent_process.rgid |
|
event.btm_launch_item_remove.app.parent_audit_token.pgid |
target.process.parent_process.pgid |
|
event.btm_launch_item_remove.app.parent_audit_token.pid |
target.process.parent_process.pid |
|
event.btm_launch_item_remove.app.parent_audit_token.uuid |
target.process.parent_process.product_specific_process_id |
|
event.btm_launch_item_remove.app.executable.path |
target.process.file.full_path |
|
event.btm_launch_item_remove.app.executable.stat.st_dev |
target.process.file.stat_dev |
|
event.btm_launch_item_remove.app.executable.stat.st_flags |
target.process.file.stat_flags |
|
event.btm_launch_item_remove.app.executable.stat.st_ino |
target.process.file.stat_inode |
|
event.btm_launch_item_remove.app.executable.stat.st_mode |
target.process.file.stat_mode |
|
event.btm_launch_item_remove.app.executable.stat.st_mtimespec |
target.process.file.last_modification_time |
|
event.btm_launch_item_remove.app.executable.stat.st_atimespec |
target.process.file.last_access_time |
|
event.btm_launch_item_remove.app.executable.stat.st_nlink |
target.process.file.stat_nlink |
|
event.btm_launch_item_remove.app.executable.stat.st_size |
target.process.file.size |
|
event.btm_launch_item_remove.app.executable.sha256 |
target.process.file.sha256 |
|
event.btm_launch_item_remove.app.executable.sha1 |
target.process.file.sha1 |
|
event.btm_launch_item_remove.app.signing_id |
additional.fields[btm_launch_item_remove_app_signing_id] |
|
event.btm_launch_item_remove.app.team_id |
additional.fields[btm_launch_item_remove_app_team] |
|
event.btm_launch_item_remove.app.ppid |
additional.fields[btm_launch_item_remove_app_ppid] |
|
event.btm_launch_item_remove.app.codesigning_flags |
additional.fields[btm_launch_item_remove_app_codesigning_flags] |
|
event.btm_launch_item_remove.app.cdhash |
additional.fields[btm_launch_item_remove_app_cdhash] |
|
event.btm_launch_item_remove.app.is_platform_binary |
additional.fields[additional.fields[btm_launch_item_remove_app_cdhash]] |
|
event.btm_launch_item_remove.app.is_es_client |
additional.fields[additional.fields[btm_launch_item_remove_app_is_es_client]] |
|
event.btm_launch_item_remove.app.group_id |
additional.fields[additional.fields[btm_launch_item_remove_app_group_id]] |
|
event.btm_launch_item_remove.app.original_ppid |
additional.fields[additional.fields[btm_launch_item_remove_app_original_ppid]] |
|
event.btm_launch_item_remove.app.session_id |
additional.fields[additional.fields[btm_launch_item_remove_app_session_id]] |
|
event.btm_launch_item_remove.item.app_url |
target.file.full_path |
If the event.btm_launch_item_remove.item.item_url log field value is not empty and if the event.btm_launch_item_remove.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_remove.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_remove.item.item_url log field is mapped to the target.file.full_path UDM field. Else, %{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url} log field is mapped to the target.file.full_path UDM field. |
event.btm_launch_item_remove.item.item_url |
target.file.full_path |
If the event.btm_launch_item_remove.item.item_url log field value is not empty and if the event.btm_launch_item_remove.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_remove.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_remove.item.item_url log field is mapped to the target.file.full_path UDM field. Else, %{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url} log field is mapped to the target.file.full_path UDM field. |
event.btm_launch_item_remove.item.uid |
target.user.userid |
|
event.btm_launch_item_remove.executable_path |
target.file.full_path |
|
event.btm_launch_item_remove.item.item_type |
target.application |
If the event.btm_launch_item_remove.item.item_type log field value is equal to 0 then, the target.application UDM field is set to USER_ITEM. Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 1 then, the target.application UDM field is set to APP. Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 2 then, the target.application UDM field is set to LOGIN_ITEM. Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 3 then, the target.application UDM field is set to AGENT. Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 4 then, the target.application UDM field is set to DAEMON. |
event.btm_launch_item_remove.item.managed |
additional.fields[btm_launch_item_remove_item_managed] |
|
event.btm_launch_item_remove.item.legacy |
additional.fields[btm_launch_item_remove_item_legacy] |
|
event.btm_launch_item_remove.app.parent_audit_token.signing_id |
target.process.parent_process.file.signature_info.codesign.id |
event_type: chroot
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to chroot. |
|
metadata.description |
A piece of software has changed its apparent root directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to FILE_MODIFICATION. |
event.chroot.target.path |
target.file.full_path |
|
event.chroot.target.stat.st_dev |
target.file.stat_dev |
|
event.chroot.target.stat.st_flags |
target.file.stat_flags |
|
event.chroot.target.stat.st_ino |
target.file.stat_inode |
|
event.chroot.target.stat.st_mode |
target.file.stat_mode |
|
event.chroot.target.stat.st_mtimespec |
target.file.last_modification_time |
|
event.chroot.target.stat.st_atimespec |
target.file.last_access_time |
|
event.chroot.target.stat.st_nlink |
target.file.stat_nlink |
|
event.chroot.target.stat.st_size |
target.file.size |
|
event.chroot.target.sha256 |
target.file.sha256 |
|
event.chroot.target.sha1 |
target.file.sha1 |
event_type: exec
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to exec. |
|
metadata.description |
An executable has been loaded into memory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to PROCESS_LAUNCH. |
process.responsible_audit_token.euid |
principal.process.euid |
|
process.responsible_audit_token.ruid |
principal.process.ruid |
|
process.responsible_audit_token.egid |
principal.process.egid |
|
process.responsible_audit_token.rgid |
principal.process.rgid |
|
process.responsible_audit_token.pgid |
principal.process.pgid |
|
process.responsible_audit_token.pid |
principal.process.pid |
|
process.responsible_audit_token.uuid |
principal.process.product_specific_process_id |
|
process.responsible_audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.exec.target.audit_token.euid |
target.process.euid |
|
event.exec.target.audit_token.ruid |
target.process.ruid |
|
event.exec.target.audit_token.egid |
target.process.egid |
|
event.exec.target.audit_token.rgid |
target.process.rgid |
|
event.exec.target.audit_token.pgid |
target.process.pgid |
|
event.exec.target.audit_token.pid |
target.process.pid |
|
event.exec.target.audit_token.uuid |
target.process.product_specific_process_id |
|
event.exec.target.parent_audit_token.euid |
target.process.parent_process.euid |
|
event.exec.target.parent_audit_token.ruid |
target.process.parent_process.ruid |
|
event.exec.target.parent_audit_token.egid |
target.process.parent_process.egid |
|
event.exec.target.parent_audit_token.rgid |
target.process.parent_process.rgid |
|
event.exec.target.parent_audit_token.pgid |
target.process.parent_process.pgid |
|
event.exec.target.parent_audit_token.pid |
target.process.parent_process.pid |
|
event.exec.target.parent_audit_token.uuid |
target.process.parent_process.product_specific_process_id |
|
event.exec.target.parent_audit_token.signing_id |
target.process.parent_process.file.signature_info.codesign.id |
|
event.exec.target.executable.path |
target.process.file.full_path |
|
event.exec.target.executable.stat.st_dev |
target.process.file.stat_dev |
|
event.exec.target.executable.stat.st_flags |
target.process.file.stat_flags |
|
event.exec.target.executable.stat.st_ino |
target.process.file.stat_inode |
|
event.exec.target.executable.stat.st_mode |
target.process.file.stat_mode |
|
event.exec.target.executable.stat.st_mtimespec |
target.process.file.last_modification_time |
|
event.exec.target.executable.stat.st_atimespec |
target.process.file.last_access_time |
|
event.exec.target.executable.stat.st_nlink |
target.process.file.stat_nlink |
|
event.exec.target.executable.stat.st_size |
target.process.file.size |
|
event.exec.target.executable.sha256 |
target.process.file.sha256 |
|
event.exec.target.executable.sha1 |
target.process.file.sha1 |
|
event.exec.target.signing_id |
additional.fields[exec_target_signing_id] |
|
event.exec.target.team_id |
additional.fields[exec_target_team_id] |
|
event.exec.target.ppid |
additional.fields[exec_target_ppid] |
|
event.exec.target.codesigning_flags |
additional.fields[exec_target_codesigning_flags] |
|
event.exec.target.cdhash |
additional.fields[exec_target_cdhash] |
|
event.exec.target.is_platform_binary |
additional.fields[exec_target_is_platform_binary] |
|
event.exec.target.is_es_client |
additional.fields[exec_target_is_es_client] |
|
event.exec.target.group_id |
additional.fields[exec_target_group_id] |
|
event.exec.target.original_ppid |
additional.fields[exec_target_original_ppid] |
|
event.exec.target.session_id |
additional.fields[exec_target_session_id] |
|
event.exec.args |
target.process.command_line |
|
event.exec.cwd.path |
additional.fields[exec_cwd_path] |
|
event.exec.dyld_exec_path |
additional.fields[exec_dyld_exec_path] |
|
event.exec.script.path |
additional.fields[exec_script_path] |
|
event.exec.tty.path |
additional.fields[exec_tty_path] |
|
event.exec.image_cpusubtype |
additional.fields[exec_image_cpusubtype] |
|
event.exec.image_cputype |
additional.fields[exec_image_cputype] |
|
event.exec.target.audit_token.signing_id |
target.process.file.signature_info.codesign.id |
event_type: file_collection
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to file_collection. |
|
metadata.description |
Event occurs when data from a Diagnsostic or Crash Report file is collected from the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.file_collection.path |
target.file.path |
|
event.file_collection.size |
target.file.size |
|
event.file_collection.contents |
additional.fields[file_collection_contents] |
event_type: kextload
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to kextload. |
|
metadata.description |
A kernel extension (kext) was loaded. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.kextload.identifier |
target.resource.name |
event_type: kextunload
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to kextunload. |
|
metadata.description |
A kernel extension (kext) was unloaded. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.kextunload.identifier |
target.resource.name |
event_type: log_collection
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to log_collection. |
|
metadata.description |
Collection of entries from a local log file. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.log_collection.texts |
target.file.names |
|
event.log_collection.path.0 |
target.file.full_path |
event_type: login_login
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to login_login. |
|
metadata.description |
A user attempted to log in via /usr/bin/login. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE. |
event.login_login.uid |
target.user.userid |
|
event.login_login.username |
target.user.user_display_name |
|
event.login_login.success |
security_result.category |
If the event.login_login.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION. |
event.login_login.failure_message |
security_result.category_details |
If the event.login_login.success log field value is equal to false then, event.login_login.failure_message log field is mapped to the security_result.category_details UDM field. |
event_type: login_logout
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to login_logout. |
|
metadata.description |
A user logged out via /usr/bin/login. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT. |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE. |
event.login_logout.uid |
target.user.userid |
|
event.login_logout.username |
target.user.user_display_name |
event_type: lw_session_login
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to lw_session_login. |
|
metadata.description |
A user has logged in via the Login Window. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE. |
event.lw_session_login.username |
target.user.user_display_name |
event_type: bios_uefi
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to bios_uefi. |
|
metadata.description |
Information about the current version of bios and uefi on the device. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.bios_uefi.firmware-version |
additional.fields[bios_uefi_firmware_version] |
|
event.bios_uefi.system-firmware-version |
additional.fields[bios_uefi_system_firmware_version] |
|
event.bios_uefi.architecture |
additional.fields[bios_uefi_architecture] |
|
event.bios_uefi.bios.firmware-version |
additional.fields[bios_uefi_bios_firmware_version] |
|
event.bios_uefi.bios.vendor |
additional.fields[bios_uefi_bios_vendor] |
|
event.bios_uefi.bios.firmware-features |
additional.fields[bios_uefi_bios_firmware_features] |
|
event.bios_uefi.bios.rom-size |
additional.fields[bios_uefi_bios_rom_size] |
|
event.bios_uefi.bios.booter-version |
additional.fields[bios_uefi_bios_booter_version] |
event_type: cs_invalidated
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to cs_invalidated. |
|
metadata.description |
A process has had its code signature marked as invalid. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event_type: gatekeeper_user_override
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to gatekeeper_user_override. |
|
metadata.description |
A user overrides Gatekeeper. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.gatekeeper_user_override.file.path |
target.file.full_path |
|
event.gatekeeper_user_override.file.stat.st_dev |
target.file.stat_dev |
|
event.gatekeeper_user_override.file.stat.st_flags |
target.file.stat_flags |
|
event.gatekeeper_user_override.file.stat.st_ino |
target.file.stat_inode |
|
event.gatekeeper_user_override.file.stat.st_mode |
target.file.stat_mode |
|
event.gatekeeper_user_override.file.stat.st_mtimespec |
target.file.last_modification_time |
|
event.gatekeeper_user_override.file.stat.st_atimespec |
target.file.last_access_time |
|
event.gatekeeper_user_override.file.stat.st_nlink |
target.file.stat_nlink |
|
event.gatekeeper_user_override.file.stat.st_size |
target.file.size |
|
event.gatekeeper_user_override.file.sha256 |
target.file.sha256 |
|
event.gatekeeper_user_override.file.sha1 |
target.file.sha1 |
|
event.gatekeeper_user_override.signing_info.signing_id |
additional.fields[exec_gatekeeper_user_override_signing_info_signing_id] |
|
event.gatekeeper_user_override.signing_info.team_id |
additional.fields[gatekeeper_user_override_signing_info_team_id] |
|
event.gatekeeper_user_override.signing_info.cdhash |
additional.fields[gatekeeper_user_override_signing_info_cdhash] |
|
event.gatekeeper_user_override.file_type |
additional.fields[gatekeeper_user_override_file_type] |
|
event.gatekeeper_user_override.sha256 |
additional.fields[gatekeeper_user_override_sha256] |
event_type: lw_session_unlock
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to lw_session_unlock. |
|
metadata.description |
A user has unlocked the screen from the Login Window. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE. |
event.lw_session_unlock.username |
target.user.user_display_name |
event_type: lw_session_lock
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to lw_session_lock. |
|
metadata.description |
A user has locked the screen. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT. |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE. |
event.lw_session_lock.username |
target.user.user_display_name |
event_type: lw_session_logout
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to lw_session_logout. |
|
metadata.description |
A user has logged out of an active graphical session. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT. |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE. |
event.lw_session_logout.username |
target.user.user_display_name |
event_type: mount
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to mount. |
|
metadata.description |
A file system has been mounted. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.mount.statfs.f_owner |
principal.user.userid |
|
event.mount.device.size |
target.file.size |
|
event.mount.statfs.f_fstypename |
target.resource.resource_subtype |
|
event.mount.statfs.f_mntfromname |
src.resource.name |
|
event.mount.statfs.f_mntonname |
target.resource.name |
|
event.mount.device.protocol |
additional.fields[mount_device_protocol] |
|
event.mount.disposition |
additional.fields[mount_disposition] |
|
event.mount.device.serial_number |
target.asset.hardware.serial_number |
If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.serial_number log field is mapped to the target.asset.hardware.serial_number UDM field. |
event.mount.device.vendor_name |
target.asset.hardware.manufacturer |
If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.vendor_name log field is mapped to the target.asset.hardware.manufacturer UDM field. |
event.mount.device.device_model |
target.asset.hardware.model |
If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.device_model log field is mapped to the target.asset.hardware.model UDM field. |
event_type: od_attribute_set
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_attribute_set. |
|
metadata.description |
Attribute set on user or group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
event.od_attribute_set.instigator.audit_token.euid |
principal.process.euid |
|
event.od_attribute_set.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_attribute_set.instigator.audit_token.egid |
principal.process.egid |
|
event.od_attribute_set.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_attribute_set.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_attribute_set.instigator.audit_token.pid |
principal.process.pid |
|
event.od_attribute_set.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_attribute_set.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_attribute_set.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_attribute_set.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_attribute_set.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_attribute_set.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_attribute_set.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_attribute_set.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_attribute_set.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_attribute_set.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_attribute_set.instigator.executable.path |
principal.process.file.full_path |
|
event.od_attribute_set.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_attribute_set.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_attribute_set.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_attribute_set.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_attribute_set.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_attribute_set.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_attribute_set.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_attribute_set.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_attribute_set.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_attribute_set.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_attribute_set.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_attribute_set.instigator.signing_id |
additional.fields[od_attribute_set_instigator_signing_id] |
|
event.od_attribute_set.instigator.team_id |
additional.fields[od_attribute_set_instigator_team_id] |
|
event.od_attribute_set.instigator.ppid |
additional.fields[od_attribute_set_instigator_codesigning_flags] |
|
event.od_attribute_set.instigator.codesigning_flags |
additional.fields[od_attribute_set_instigator_ppid] |
|
event.od_attribute_set.instigator.cdhash |
additional.fields[od_attribute_set_instigator_cdhash] |
|
event.od_attribute_set.instigator.is_platform_binary |
additional.fields[od_attribute_set_instigator_is_platform_binary] |
|
event.od_attribute_set.instigator.is_es_client |
additional.fields[od_attribute_set_instigator_is_es_client] |
|
event.od_attribute_set.instigator.group_id |
additional.fields[od_attribute_set_instigator_group_id] |
|
event.od_attribute_set.instigator.original_ppid |
additional.fields[od_attribute_set_instigator_original_ppid] |
|
event.od_attribute_set.instigator.session_id |
additional.fields[od_attribute_set_instigator_session_id] |
|
event.od_attribute_set.attribute_name |
target.resource.resource_subtype |
|
event.od_attribute_value_add.attribute_value |
target.resource.name |
|
event.od_attribute_set.record_name |
target.user.user_display_name |
|
event.od_attribute_set.instigator_token.euid |
principal.user.userid |
|
event.od_attribute_set.db_path |
additional.fields[event_od_attribute_set_db_path] |
|
event.od_attribute_set.node_name |
additional.fields[event_od_attribute_set_node_name] |
|
event.od_attribute_set.record_type |
additional.fields[event_od_attribute_set_record_type] |
|
event.od_attribute_set.error_code |
additional.fields[event_od_attribute_set_error_code] |
event_type: od_attribute_value_add
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_attribute_value_add. |
|
metadata.description |
Attribute set on user or group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.od_attribute_value_add.instigator.audit_token.euid |
principal.process.euid |
|
event.od_attribute_value_add.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_attribute_value_add.instigator.audit_token.egid |
principal.process.egid |
|
event.od_attribute_value_add.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_attribute_value_add.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_attribute_value_add.instigator.audit_token.pid |
principal.process.pid |
|
event.od_attribute_value_add.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_attribute_value_add.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_attribute_value_add.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_attribute_value_add.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_attribute_value_add.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_attribute_value_add.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_attribute_value_add.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_attribute_set.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_attribute_value_add.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_attribute_value_add.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_attribute_value_add.instigator.executable.path |
principal.process.file.full_path |
|
event.od_attribute_value_add.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_attribute_value_add.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_attribute_value_add.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_attribute_value_add.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_attribute_value_add.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_attribute_value_add.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_attribute_value_add.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_attribute_value_add.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_attribute_value_add.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_attribute_value_add.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_attribute_value_add.instigator.signing_id |
additional.fields[od_attribute_value_add_instigator_signing_id] |
|
event.od_attribute_value_add.instigator.team_id |
additional.fields[od_attribute_value_add_instigator_team_id] |
|
event.od_attribute_value_add.instigator.ppid |
additional.fields[od_attribute_value_add_instigator_ppid] |
|
event.od_attribute_value_add.instigator.codesigning_flags |
additional.fields[od_attribute_set_instigator_codesigning_flags] |
|
event.od_attribute_value_add.instigator.cdhash |
additional.fields[od_attribute_value_add_instigator_codesigning_flags] |
|
event.od_attribute_value_add.instigator.is_platform_binary |
additional.fields[od_attribute_set_instigator_is_platform_binary] |
|
event.od_attribute_value_add.instigator.is_es_client |
additional.fields[od_attribute_value_add_instigator_is_es_client] |
|
event.od_attribute_value_add.instigator.group_id |
additional.fields[od_attribute_value_add_instigator_group_id] |
|
event.od_attribute_value_add.instigator.original_ppid |
additional.fields[od_attribute_value_add_instigator_original_pp] |
|
event.od_attribute_value_add.instigator.session_id |
additional.fields[od_attribute_value_add_instigator_session_id] |
|
event.od_attribute_value_add.attribute_name |
target.resource.resource_subtype |
|
event.od_attribute_value_add.attribute_value |
target.resource.name |
|
event.od_attribute_value_add.record_name |
target.user.user_display_name |
|
event.od_attribute_value_add.db_path |
additional.fields[od_attribute_value_add_db_path] |
|
event.od_attribute_value_add.node_name |
additional.fields[od_attribute_value_add_node_name] |
|
event.od_attribute_value_add.record_type |
additional.fields[od_attribute_value_add_record_type] |
|
event.od_attribute_value_add.error_code |
additional.fields[od_attribute_value_add_error_code] |
event_type: od_attribute_value_remove
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_attribute_value_remove. |
|
metadata.description |
Attribute removed from a user or group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_RESOURCE_DELETION. |
event.od_attribute_value_remove.instigator.audit_token.euid |
principal.process.euid |
|
event.od_attribute_value_remove.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_attribute_value_remove.instigator.audit_token.egid |
principal.process.egid |
|
event.od_attribute_value_remove.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_attribute_value_remove.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_attribute_value_remove.instigator.audit_token.pid |
principal.process.pid |
|
event.od_attribute_value_remove.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_attribute_value_remove.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_attribute_value_remove.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_attribute_value_remove.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_attribute_value_remove.instigator.executable.path |
principal.process.file.full_path |
|
event.od_attribute_value_remove.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_attribute_value_remove.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_attribute_value_remove.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_attribute_value_remove.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_attribute_value_remove.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_attribute_value_remove.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_attribute_value_remove.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_attribute_value_remove.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_attribute_value_remove.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_attribute_value_remove.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_attribute_value_remove.instigator.codesigning_flags |
additional.fields[od_attribute_value_remove_instigator_codesigning_flags] |
|
event.od_attribute_value_remove.instigator.cdhash |
additional.fields[od_attribute_value_remove_instigator_codesigning_flags] |
|
event.od_attribute_value_remove.instigator.is_platform_binary |
additional.fields[od_attribute_value_remove_instigator_is_platform_binary] |
|
event.od_attribute_value_remove.instigator.is_es_client |
additional.fields[od_attribute_value_remove_instigator_is_es_client] |
|
event.od_attribute_value_remove.instigator.group_id |
additional.fields[od_attribute_value_remove_instigator_group_id] |
|
event.od_attribute_value_remove.instigator.original_ppid |
additional.fields[od_attribute_value_remove_instigator_original_pp] |
|
event.od_attribute_value_remove.instigator.session_id |
additional.fields[od_attribute_value_remove_instigator_session_id] |
|
event.od_attribute_value_remove.attribute_name |
target.resource.resource_subtype |
|
event.od_attribute_value_remove.attribute_value |
target.resource.name |
|
event.od_attribute_value_remove.record_name |
target.user.user_display_name |
|
event.od_attribute_value_remove.db_path |
additional.fields[od_attribute_value_remove_db_path] |
|
event.od_attribute_value_remove.node_name |
additional.fields[od_attribute_value_remove_node_name] |
|
event.od_attribute_value_remove.record_type |
additional.fields[od_attribute_value_remove_record_type] |
|
event.od_attribute_value_remove.error_code |
additional.fields[od_attribute_value_remove_error_code] |
event_type: od_create_group
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_create_group. |
|
metadata.description |
A group has been created using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_CREATION. |
event.od_create_group.instigator.audit_token.euid |
principal.process.euid |
|
event.od_create_group.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_create_group.instigator.audit_token.egid |
principal.process.egid |
|
event.od_create_group.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_create_group.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_create_group.instigator.audit_token.pid |
principal.process.pid |
|
event.od_create_group.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_create_group.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_create_group.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_create_group.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_create_group.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_create_group.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_create_group.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_create_group.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_create_group.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_create_group.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_create_group.instigator.executable.path |
principal.process.file.full_path |
|
event.od_create_group.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_create_group.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_create_group.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_create_group.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_create_group.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_create_group.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_create_group.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_create_group.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_create_group.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_create_group.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_create_group.instigator.signing_id |
additional.fields[od_create_group_instigator_signing_id] |
|
event.od_create_group.instigator.team_id |
additional.fields[od_create_group_instigator_team_id] |
|
event.od_create_group.instigator.ppid |
additional.fields[od_create_group_instigator_ppid] |
|
event.od_create_group.instigator.codesigning_flags |
additional.fields[od_create_group_instigator_codesigning_flags] |
|
event.od_create_group.instigator.cdhash |
additional.fields[od_create_group_instigator_cdhash] |
|
event.od_create_group.instigator.is_platform_binary |
additional.fields[od_create_group_instigator_is_platform_binary] |
|
event.od_create_group.instigator.is_es_client |
additional.fields[od_create_group_instigator_is_es_client] |
|
event.od_create_group.instigator.group_id |
additional.fields[od_create_group_instigator_group_id] |
|
event.od_create_group.instigator.original_ppid |
additional.fields[od_create_group_instigator_original_pp] |
|
event.od_create_group.instigator.session_id |
additional.fields[od_create_group_instigator_session_id] |
|
event.od_create_group.group_name |
target.group.group_display_name |
|
event.od_create_group.instigator_token.euid |
principal.user.userid |
|
od_create_group.db_path |
additional.fields[od_create_group_db_path] |
|
event.od_create_group.node_name |
additional.fields[od_create_group_node_name] |
|
event.od_create_group.error_code |
additional.fields[od_create_group_error_code] |
event_type: od_delete_group
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_delete_group. |
|
metadata.description |
A group has been deleted using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_DELETION. |
event.od_delete_group.instigator.audit_token.euid |
principal.process.euid |
|
event.od_delete_group.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_delete_group.instigator.audit_token.egid |
principal.process.egid |
|
event.od_delete_group.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_delete_group.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_delete_group.instigator.audit_token.pid |
principal.process.pid |
|
event.od_delete_group.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_delete_group.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_delete_group.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_delete_group.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_delete_group.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_delete_group.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_delete_group.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_delete_group.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_delete_group.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_delete_group.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_delete_group.instigator.executable.path |
principal.process.file.full_path |
|
event.od_delete_group.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_delete_group.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_delete_group.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_delete_group.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_delete_group.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_delete_group.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_delete_group.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_delete_group.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_delete_group.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_delete_group.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_delete_group.instigator.signing_id |
additional.fields[od_delete_group_instigator_signing_id] |
|
event.od_delete_group.instigator.team_id |
additional.fields[od_delete_group_instigator_team_id] |
|
event.od_delete_group.instigator.ppid |
additional.fields[od_delete_group_instigator_ppid] |
|
event.od_delete_group.instigator.codesigning_flags |
additional.fields[od_delete_group_instigator_codesigning_flags] |
|
event.od_delete_group.instigator.cdhash |
additional.fields[od_delete_group_instigator_cdhash] |
|
event.od_delete_group.instigator.is_platform_binary |
additional.fields[od_delete_group_instigator_is_platform_binary] |
|
event.od_delete_group.instigator.is_es_client |
additional.fields[od_delete_group_instigator_is_es_client] |
|
event.od_delete_group.instigator.group_id |
additional.fields[od_delete_group_instigator_group_id] |
|
event.od_delete_group.instigator.original_ppid |
additional.fields[od_delete_group_instigator_original_pp] |
|
event.od_delete_group.instigator.session_id |
additional.fields[od_delete_group_instigator_session_id] |
|
event.od_delete_group.group_name |
target.group.group_display_name |
|
event.od_delete_group.instigator_token.euid |
principal.user.userid |
|
od_delete_group.db_path |
additional.fields[od_delete_group_db_path] |
|
event.od_delete_group.node_name |
additional.fields[od_delete_group_node_name] |
|
event.od_delete_group.error_code |
additional.fields[od_delete_group_error_code] |
event_type: od_create_user
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_create_user. |
|
metadata.description |
A user has been created using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_CREATION. |
event.od_create_user.instigator.audit_token.euid |
principal.process.euid |
|
event.od_create_user.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_create_user.instigator.audit_token.egid |
principal.process.egid |
|
event.od_create_user.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_create_user.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_create_user.instigator.audit_token.pid |
principal.process.pid |
|
event.od_create_user.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_create_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_create_user.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_create_user.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_create_user.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_create_user.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_create_user.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_create_user.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_create_user.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_create_user.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_create_user.instigator.executable.path |
principal.process.file.full_path |
|
event.od_create_user.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_create_user.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_create_user.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_create_user.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_create_user.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_create_user.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_create_user.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_create_user.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_create_user.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_create_user.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_create_user.instigator.signing_id |
additional.fields[od_create_user_instigator_signing_id] |
|
event.od_create_user.instigator.team_id |
additional.fields[od_create_user_instigator_team_id] |
|
event.od_create_user.instigator.ppid |
additional.fields[od_create_user_instigator_ppid] |
|
event.od_create_user.instigator.codesigning_flags |
additional.fields[od_create_user_instigator_codesigning_flags] |
|
event.od_create_user.instigator.cdhash |
additional.fields[od_create_user_instigator_cdhash] |
|
event.od_create_user.instigator.is_platform_binary |
additional.fields[od_create_user_instigator_is_platform_binary] |
|
event.od_create_user.instigator.is_es_client |
additional.fields[od_create_user_instigator_is_es_client] |
|
event.od_create_user.instigator.group_id |
additional.fields[od_create_user_instigator_group_id] |
|
event.od_create_user.instigator.original_ppid |
additional.fields[od_create_user_instigator_original_pp] |
|
event.od_create_user.instigator.session_id |
additional.fields[od_create_user_instigator_session_id] |
|
event.od_create_user.user_name |
target.user.userid |
|
event.od_create_user.instigator_token.euid |
principal.user.userid |
|
event.od_create_user.db_path |
additional.fields[od_create_user_db_path] |
|
event.od_create_user.node_name |
additional.fields[od_create_user_node_name] |
|
event.od_create_user.error_code |
additional.fields[od_create_user_error_code] |
event_type: od_delete_user
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_delete_user. |
|
metadata.description |
A user has been deleted using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_DELETION. |
event.od_delete_user.instigator.audit_token.euid |
principal.process.euid |
|
event.od_delete_user.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_delete_user.instigator.audit_token.egid |
principal.process.egid |
|
event.od_delete_user.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_delete_user.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_delete_user.instigator.audit_token.pid |
principal.process.pid |
|
event.od_delete_user.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_delete_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_delete_user.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_delete_user.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_delete_user.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_delete_user.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_delete_user.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_delete_user.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_delete_user.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_delete_user.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_delete_user.instigator.executable.path |
principal.process.file.full_path |
|
event.od_delete_user.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_delete_user.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_delete_user.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_delete_user.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_delete_user.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_delete_user.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_delete_user.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_delete_user.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_delete_user.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_delete_user.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_delete_user.instigator.signing_id |
additional.fields[od_delete_user_instigator_signing_id] |
|
event.od_delete_user.instigator.team_id |
additional.fields[od_delete_user_instigator_team_id] |
|
event.od_delete_user.instigator.ppid |
additional.fields[od_delete_user_instigator_ppid] |
|
event.od_delete_user.instigator.codesigning_flags |
additional.fields[od_delete_user_instigator_codesigning_flags] |
|
event.od_delete_user.instigator.cdhash |
additional.fields[od_delete_user_instigator_cdhash] |
|
event.od_delete_user.instigator.is_platform_binary |
additional.fields[od_delete_user_instigator_is_platform_binary] |
|
event.od_delete_user.instigator.is_es_client |
additional.fields[od_delete_user_instigator_is_es_client] |
|
event.od_delete_user.instigator.group_id |
additional.fields[od_delete_user_instigator_group_id] |
|
event.od_delete_user.instigator.original_ppid |
additional.fields[od_delete_user_instigator_original_pp] |
|
event.od_delete_user.instigator.session_id |
additional.fields[od_delete_user_instigator_session_id] |
|
event.od_delete_user.user_name |
target.user.userid |
|
event.od_delete_user.instigator_token.euid |
principal.user.userid |
|
event.od_delete_user.db_path |
additional.fields[od_delete_user_db_path] |
|
event.od_delete_user.node_name |
additional.fields[od_delete_user_node_name] |
|
event.od_delete_user.error_code |
additional.fields[od_delete_user_error_code] |
|
event.od_disable_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
event_type: od_disable_user
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_disable_user. |
|
metadata.description |
A user has been disabled using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
event.od_disable_user.instigator.audit_token.euid |
principal.process.euid |
|
event.od_disable_user.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_disable_user.instigator.audit_token.egid |
principal.process.egid |
|
event.od_disable_user.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_disable_user.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_disable_user.instigator.audit_token.pid |
principal.process.pid |
|
event.od_disable_user.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_disable_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_disable_user.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_disable_user.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_disable_user.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_disable_user.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_disable_user.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_disable_user.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_disable_user.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_disable_user.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_disable_user.instigator.executable.path |
principal.process.file.full_path |
|
event.od_disable_user.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_disable_user.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_disable_user.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_disable_user.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_disable_user.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_disable_user.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_disable_user.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_disable_user.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_disable_user.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_disable_user.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_disable_user.instigator.codesigning_flags |
additional.fields[od_disable_user_instigator_codesigning_flags] |
|
event.od_disable_user.instigator.cdhash |
additional.fields[od_disable_user_instigator_codesigning_flags] |
|
event.od_disable_user.instigator.is_platform_binary |
additional.fields[od_disable_user_instigator_is_platform_binary] |
|
event.od_disable_user.instigator.is_es_client |
additional.fields[od_disable_user_instigator_is_es_client] |
|
event.od_disable_user.instigator.group_id |
additional.fields[od_disable_user_instigator_group_id] |
|
event.od_disable_user.instigator.original_ppid |
additional.fields[od_disable_user_instigator_original_pp] |
|
event.od_disable_user.instigator.session_id |
additional.fields[od_disable_user_instigator_session_id] |
|
event.od_disable_user.user_name |
target.user.user_display_name |
|
event.od_disable_user.instigator_token.euid |
principal.user.userid |
|
event.od_disable_user.db_path |
additional.fields[od_disable_user_db_path] |
|
event.od_disable_user.node_name |
additional.fields[od_disable_user_node_name] |
|
event.od_disable_user.error_code |
additional.fields[od_disable_user_error_code] |
event_type: od_enable_user
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_enable_user. |
|
metadata.description |
A user has been enabled using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
event.od_enable_user.instigator.audit_token.euid |
principal.process.euid |
|
event.od_enable_user.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_enable_user.instigator.audit_token.egid |
principal.process.egid |
|
event.od_enable_user.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_enable_user.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_enable_user.instigator.audit_token.pid |
principal.process.pid |
|
event.od_enable_user.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_enable_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_enable_user.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_enable_user.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_enable_user.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_enable_user.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_enable_user.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_enable_user.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_enable_user.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_enable_user.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_enable_user.instigator.executable.path |
principal.process.file.full_path |
|
event.od_enable_user.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_enable_user.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_enable_user.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_enable_user.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_enable_user.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_enable_user.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_enable_user.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_enable_user.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_enable_user.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_enable_user.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_enable_user.instigator.signing_id |
additional.fields[od_enable_user_instigator_signing_id] |
|
event.od_enable_user.instigator.team_id |
additional.fields[od_enable_user_instigator_team_id] |
|
event.od_enable_user.instigator.ppid |
additional.fields[od_enable_user_instigator_ppid] |
|
event.od_enable_user.instigator.codesigning_flags |
additional.fields[od_enable_user_instigator_codesigning_flags] |
|
event.od_enable_user.instigator.cdhash |
additional.fields[od_enable_user_instigator_cdhash] |
|
event.od_enable_user.instigator.is_platform_binary |
additional.fields[od_enable_user_instigator_is_platform_binary] |
|
event.od_enable_user.instigator.is_es_client |
additional.fields[od_enable_user_instigator_is_es_client] |
|
event.od_enable_user.instigator.group_id |
additional.fields[od_enable_user_instigator_group_id] |
|
event.od_enable_user.instigator.original_ppid |
additional.fields[od_enable_user_instigator_original_pp] |
|
event.od_enable_user.instigator.session_id |
additional.fields[od_enable_user_instigator_session_id] |
|
event.od_enable_user.user_name |
target.user.user_display_name |
|
event.od_enable_user.instigator_token.euid |
principal.user.userid |
|
event.od_enable_user.db_path |
additional.fields[od_enable_user_db_path] |
|
event.od_enable_user.node_name |
additional.fields[od_enable_user_node_name] |
|
event.od_enable_user.error_code |
additional.fields[od_enable_user_error_code] |
event_type: od_group_add
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_group_add. |
|
metadata.description |
A member has been added to a group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_MODIFICATION. |
event.od_group_add.instigator.audit_token.euid |
principal.process.euid |
|
event.od_group_add.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_group_add.instigator.audit_token.egid |
principal.process.egid |
|
event.od_group_add.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_group_add.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_group_add.instigator.audit_token.pid |
principal.process.pid |
|
event.od_group_add.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_group_add.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_group_add.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_group_add.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_group_add.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_group_add.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_group_add.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_group_add.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_group_add.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_group_add.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_group_add.instigator.executable.path |
principal.process.file.full_path |
|
event.od_group_add.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_group_add.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_group_add.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_group_add.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_group_add.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_group_add.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_group_add.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_group_add.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_group_add.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_group_add.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_group_add.instigator.signing_id |
additional.fields[od_group_add_instigator_signing_id] |
|
event.od_group_add.instigator.team_id |
additional.fields[od_group_add_instigator_team_id] |
|
event.od_group_add.instigator.ppid |
additional.fields[od_group_add_instigator_ppid] |
|
event.od_group_add.instigator.codesigning_flags |
additional.fields[od_group_add_instigator_codesigning_flags] |
|
event.od_group_add.instigator.cdhash |
additional.fields[od_group_add_instigator_cdhash] |
|
event.od_group_add.instigator.is_platform_binary |
additional.fields[od_group_add_instigator_is_platform_binary] |
|
event.od_group_add.instigator.is_es_client |
additional.fields[od_group_add_instigator_is_es_client] |
|
event.od_group_add.instigator.group_id |
additional.fields[od_group_add_instigator_group_id] |
|
event.od_group_add.instigator.original_ppid |
additional.fields[od_group_add_instigator_original_pp] |
|
event.od_group_add.instigator.session_id |
additional.fields[od_group_add_instigator_session_id] |
|
event.od_group_add.group_name |
target.group.group_display_name |
|
event.od_group_add.member.member_value |
target.user.user_display_name |
|
event.od_group_add.instigator_token.euid |
principal.user.userid |
|
event.od_group_add.db_path |
additional.fields[od_group_add_db_path] |
|
event.od_group_add.node_name |
additional.fields[od_group_add_node_name] |
|
event.od_group_add.error_code |
additional.fields[od_group_add_error_code] |
event_type: od_group_remove
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_group_remove. |
|
metadata.description |
A member has been removed from a group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_MODIFICATION. |
event.od_group_remove.instigator.audit_token.euid |
principal.process.euid |
|
event.od_group_remove.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_group_remove.instigator.audit_token.egid |
principal.process.egid |
|
event.od_group_remove.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_group_remove.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_group_remove.instigator.audit_token.pid |
principal.process.pid |
|
event.od_group_remove.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_group_remove.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_group_remove.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_group_remove.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_group_remove.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_group_remove.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_group_remove.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_group_remove.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_group_remove.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_group_remove.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_group_remove.instigator.executable.path |
principal.process.file.full_path |
|
event.od_group_remove.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_group_remove.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_group_remove.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_group_remove.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_group_remove.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_group_remove.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_group_remove.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_group_remove.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_group_remove.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_group_remove.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_group_remove.instigator.signing_id |
additional.fields[od_group_remove_instigator_signing_id] |
|
event.od_group_remove.instigator.team_id |
additional.fields[od_group_remove_instigator_team_id] |
|
event.od_group_remove.instigator.ppid |
additional.fields[od_group_remove_instigator_ppid] |
|
event.od_group_remove.instigator.codesigning_flags |
additional.fields[od_group_remove_instigator_codesigning_flags] |
|
event.od_group_remove.instigator.cdhash |
additional.fields[od_group_remove_instigator_cdhash] |
|
event.od_group_remove.instigator.is_platform_binary |
additional.fields[od_group_remove_instigator_is_platform_binary] |
|
event.od_group_remove.instigator.is_es_client |
additional.fields[od_group_remove_instigator_is_es_client] |
|
event.od_group_remove.instigator.group_id |
additional.fields[od_group_remove_instigator_group_id] |
|
event.od_group_remove.instigator.original_ppid |
additional.fields[od_group_remove_instigator_original_pp] |
|
event.od_group_remove.instigator.session_id |
additional.fields[od_group_remove_instigator_session_id] |
|
event.od_group_remove.group_name |
target.group.group_display_name |
|
event.od_group_remove.member.member_value |
target.user.user_display_name |
|
event.od_group_remove.instigator_token.euid |
principal.user.userid |
|
event.od_group_remove.db_path |
additional.fields[od_group_remove_db_path] |
|
event.od_group_remove.node_name |
additional.fields[od_group_remove_node_name] |
|
event.od_group_remove.error_code |
additional.fields[od_group_remove_error_code] |
event_type: od_group_set
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_group_set. |
|
metadata.description |
A group has a member initialized or replaced using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_MODIFICATION. |
event.od_group_set.instigator.audit_token.euid |
principal.process.euid |
|
event.od_group_set.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_group_set.instigator.audit_token.egid |
principal.process.egid |
|
event.od_group_set.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_group_set.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_group_set.instigator.audit_token.pid |
principal.process.pid |
|
event.od_group_set.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_group_set.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_group_set.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_group_set.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_group_set.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_group_set.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_group_set.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_group_set.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_group_set.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_group_set.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_group_set.instigator.executable.path |
principal.process.file.full_path |
|
event.od_group_set.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_group_set.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_group_set.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_group_set.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_group_set.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_group_set.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_group_set.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_group_set.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_group_set.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_group_set.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_group_set.instigator.signing_id |
additional.fields[od_group_set_instigator_signing_id] |
|
event.od_group_set.instigator.team_id |
additional.fields[od_group_set_instigator_team_id] |
|
event.od_group_set.instigator.ppid |
additional.fields[od_group_set_instigator_ppid] |
|
event.od_group_set.instigator.codesigning_flags |
additional.fields[od_group_set_instigator_codesigning_flags] |
|
event.od_group_set.instigator.cdhash |
additional.fields[od_group_set_instigator_cdhash] |
|
event.od_group_set.instigator.is_platform_binary |
additional.fields[od_group_set_instigator_is_platform_binary] |
|
event.od_group_set.instigator.is_es_client |
additional.fields[od_group_set_instigator_is_es_client] |
|
event.od_group_set.instigator.group_id |
additional.fields[od_group_set_instigator_group_id] |
|
event.od_group_set.instigator.original_ppid |
additional.fields[od_group_set_instigator_original_pp] |
|
event.od_group_set.instigator.session_id |
additional.fields[od_group_set_instigator_session_id] |
|
event.od_group_set.group_name |
target.group.group_display_name |
|
event.od_group_set.member.member_array |
target.user.user_display_name |
|
event.od_group_set.instigator_token.euid |
principal.user.userid |
|
event.od_group_set.db_path |
additional.fields[od_group_set_db_path] |
|
event.od_group_set.node_name |
additional.fields[od_group_set_node_name] |
|
event.od_group_set.error_code |
additional.fields[od_group_set_error_code] |
event_type: od_modify_password
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_modify_password. |
|
metadata.description |
A group has a member initialized or replaced using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_CHANGE_PASSWORD. |
event.od_modify_password.instigator.audit_token.euid |
principal.process.euid |
|
event.od_modify_password.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_modify_password.instigator.audit_token.egid |
principal.process.egid |
|
event.od_modify_password.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_modify_password.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_modify_password.instigator.audit_token.pid |
principal.process.pid |
|
event.od_modify_password.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_modify_password.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_modify_password.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_modify_password.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_modify_password.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_modify_password.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_modify_password.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_modify_password.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_modify_password.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_modify_password.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_modify_password.instigator.executable.path |
principal.process.file.full_path |
|
event.od_modify_password.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_modify_password.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_modify_password.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_modify_password.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_modify_password.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_modify_password.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_modify_password.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_modify_password.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_modify_password.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_modify_password.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_modify_password.instigator.signing_id |
additional.fields[od_modify_password_instigator_signing_id] |
|
event.od_modify_password.instigator.team_id |
additional.fields[od_modify_password_instigator_team_id] |
|
event.od_modify_password.instigator.ppid |
additional.fields[od_modify_password_instigator_ppid] |
|
event.od_modify_password.instigator.codesigning_flags |
additional.fields[od_modify_password_instigator_codesigning_flags] |
|
event.od_modify_password.instigator.cdhash |
additional.fields[od_modify_password_instigator_cdhash] |
|
event.od_modify_password.instigator.is_platform_binary |
additional.fields[od_modify_password_instigator_is_platform_binary] |
|
event.od_modify_password.instigator.is_es_client |
additional.fields[od_modify_password_instigator_is_es_client] |
|
event.od_modify_password.instigator.group_id |
additional.fields[od_modify_password_instigator_group_id] |
|
event.od_modify_password.instigator.original_ppid |
additional.fields[od_modify_password_instigator_original_pp] |
|
event.od_modify_password.instigator.session_id |
additional.fields[od_modify_password_instigator_session_id] |
|
event.od_modify_password.account_name |
target.user.user_display_name |
|
event.od_modify_password.instigator_token.euid |
principal.user.userid |
|
event.od_modify_password.db_path |
additional.fields[od_modify_password_db_path] |
|
event.od_modify_password.node_name |
additional.fields[od_modify_password_node_name] |
|
event.od_modify_password.error_code |
additional.fields[od_modify_password_error_code] |
event_type: openssh_login
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to openssh_login. |
|
metadata.description |
A user has logged into the system via OpenSSH. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
|
network.application_protocol |
The network.application_protocol UDM field is set to SSH. |
event.openssh_login.source_address |
src.ip |
|
event.openssh_login.uid |
target.user.userid |
|
openssh_login.username |
target.user.user_display_name |
|
|
extensions.auth.mechanism |
The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE. |
event.openssh_login.success |
security_result.category |
If the event.openssh_login.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION. |
event_type: openssh_logout
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to openssh_logout. |
|
metadata.description |
A user has logged out of an OpenSSH session. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT. |
|
network.application_protocol |
The network.application_protocol UDM field is set to SSH. |
event.openssh_logout.source_address |
src.ip |
|
event.openssh_logout.uid |
target.user.userid |
|
openssh_logout.username |
target.user.user_display_name |
|
|
extensions.auth.mechanism |
The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE. |
event_type: profile_add
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to openssh_logout. |
|
metadata.description |
A configuration profile is installed on the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to SETTING_CREATION. |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to SETTING. |
event.profile_add.instigator.audit_token.euid |
principal.process.euid |
|
event.profile_add.instigator.audit_token.ruid |
principal.process.ruid |
|
event.profile_add.instigator.audit_token.egid |
principal.process.egid |
|
event.profile_add.instigator.audit_token.rgid |
principal.process.rgid |
|
event.profile_add.instigator.audit_token.pgid |
principal.process.pgid |
|
event.profile_add.instigator.audit_token.pid |
principal.process.pid |
|
event.profile_add.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.profile_add.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.profile_add.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.profile_add.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.profile_add.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.profile_add.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.profile_add.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.profile_add.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.profile_add.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.profile_add.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.profile_add.instigator.executable.path |
principal.process.file.full_path |
|
event.profile_add.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.profile_add.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.profile_add.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.profile_add.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.profile_add.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.profile_add.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.profile_add.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.profile_add.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.profile_add.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.profile_add.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.profile_add.instigator.signing_id |
additional.fields[profile_add_instigator_signing_id] |
|
event.profile_add.instigator.team_id |
additional.fields[profile_add_instigator_team_id] |
|
event.profile_add.instigator.ppid |
additional.fields[profile_add_instigator_ppid] |
|
event.profile_add.instigator.codesigning_flags |
additional.fields[profile_add_instigator_codesigning_flags] |
|
event.profile_add.instigator.cdhash |
additional.fields[profile_add_instigator_cdhash] |
|
event.profile_add.instigator.is_platform_binary |
additional.fields[profile_add_instigator_is_platform_binary] |
|
event.profile_add.instigator.is_es_client |
additional.fields[profile_add_instigator_is_es_client] |
|
event.profile_add.instigator.group_id |
additional.fields[profile_add_instigator_group_id] |
|
event.profile_add.instigator.original_ppid |
additional.fields[profile_add_instigator_original_pp] |
|
event.profile_add.instigator.session_id |
additional.fields[profile_add_instigator_session_id] |
|
event.profile_add.profile.scope |
target.resource.resource_subtype |
|
event.profile_add.profile.uuid |
target.resource.product_object_id |
|
event.profile_add.profile.display_name |
target.resource.name |
|
event.profile_add.is_update |
additional.fields[profile_add_is_update] |
|
event.profile_add.profile.identifier |
additional.fields[profile_add_profile_identifier] |
|
event.profile_add.profile.install_source |
additional.fields[profile_add_profile_install_source] |
|
event.profile_add.profile.organization |
additional.fields[profile_add_profile_organization] |
event_type: profile_remove
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to openssh_logout. |
|
metadata.description |
A configuration profile is removed from the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to SETTING_DELETION. |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to SETTING. |
event.profile_remove.instigator.audit_token.euid |
principal.process.euid |
|
event.profile_remove.instigator.audit_token.ruid |
principal.process.ruid |
|
event.profile_remove.instigator.audit_token.egid |
principal.process.egid |
|
event.profile_remove.instigator.audit_token.rgid |
principal.process.rgid |
|
event.profile_remove.instigator.audit_token.pgid |
principal.process.pgid |
|
event.profile_remove.instigator.audit_token.pid |
principal.process.pid |
|
event.profile_remove.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.profile_remove.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.profile_remove.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.profile_remove.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.profile_remove.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.profile_remove.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.profile_remove.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.profile_remove.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.profile_remove.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.profile_remove.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.profile_remove.instigator.executable.path |
principal.process.file.full_path |
|
event.profile_remove.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.profile_remove.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.profile_remove.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.profile_remove.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.profile_remove.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.profile_remove.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.profile_remove.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.profile_remove.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.profile_remove.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.profile_remove.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.profile_remove.instigator.signing_id |
additional.fields[profile_remove_instigator_signing_id] |
|
event.profile_remove.instigator.team_id |
additional.fields[profile_remove_instigator_team_id] |
|
event.profile_remove.instigator.ppid |
additional.fields[profile_remove_instigator_ppid] |
|
event.profile_remove.instigator.codesigning_flags |
additional.fields[profile_remove_instigator_codesigning_flags] |
|
event.profile_remove.instigator.cdhash |
additional.fields[profile_remove_instigator_cdhash] |
|
event.profile_remove.instigator.is_platform_binary |
additional.fields[profile_remove_instigator_is_platform_binary] |
|
event.profile_remove.instigator.is_es_client |
additional.fields[profile_remove_instigator_is_es_client] |
|
event.profile_remove.instigator.group_id |
additional.fields[profile_remove_instigator_group_id] |
|
event.profile_remove.instigator.original_ppid |
additional.fields[profile_remove_instigator_original_pp] |
|
event.profile_remove.instigator.session_id |
additional.fields[profile_remove_instigator_session_id] |
|
event.profile_remove.profile.scope |
target.resource.resource_subtype |
|
event.profile_remove.profile.uuid |
target.resource.product_object_id |
|
event.profile_remove.profile.display_name |
target.resource.name |
|
event.profile_remove.is_update |
additional.fields[profile_remove_is_update] |
|
event.profile_remove.profile.identifier |
additional.fields[profile_remove_profile_identifier] |
|
event.profile_remove.profile.install_source |
additional.fields[profile_remove_profile_install_source] |
|
event.profile_remove.profile.organization |
additional.fields[profile_remove_profile_organization] |
event_type: sudo
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to sudo. |
|
metadata.description |
A sudo attempt occurred. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.sudo.reject_info.plugin_name |
additional.fields[sudo_reject_info_plugin_name] |
|
event.sudo.reject_info.failure_message |
additional.fields[sudo_reject_info_failure_message] |
|
event.sudo.reject_info.plugin_type |
additional.fields[sudo_reject_info_plugin_type] |
|
event.sudo.from_uid |
principal.user.userid |
|
event.sudo.from_username |
principal.user.user_display_name |
|
event.sudo.command |
target.process.command_line |
|
event.sudo.to_uid |
target.user.userid |
|
event.sudo.to_username |
target.user.user_display_name |
|
event.sudo.success |
security_result.category |
If the event.sudo.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION. |
event_type: system_performance
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to system_performance. |
|
metadata.description |
Event occurs on a regular interval to collect application performance data. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.performance.metrics.hw_model |
additional.fields[performance_metrics_hw_model] |
|
event.performance.page_info.page |
additional.fields[performance_page_info_page] |
|
udm.performance.page_info.total |
additional.fields[performance_page_info_total] |
|
event.performance.metrics.tasks.name |
additional.fields[task_name] |
|
event.performance.metrics.tasks.energy_impact |
additional.fields[task_energy_impact] |
event_type: unmount
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to unmount. |
|
metadata.description |
A file system has been unmounted. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
event.unmount.statfs.f_owner |
target.user.userid |
|
event.unmount.device.size |
target.file.size |
|
event.unmount.statfs.f_fstypename |
target.resource.resource_subtype |
|
event.unmount.statfs.f_mntfromname |
target.resource.name |
|
event.unmount.device.protocol |
additional.fields[unmount_device_protocol] |
|
event.unmount.device.serial_number |
target.asset.hardware.serial_number |
If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.serial_number log field is mapped to the target.asset.hardware.serial_number UDM field. |
event.unmount.device.device_model |
target.asset.hardware.model |
If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.device_model log field is mapped to the target.asset.hardware.model UDM field. |
event.unmount.device.vendor_name |
target.asset.hardware.manudacturer |
If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.vendor_name log field is mapped to the target.asset.hardware.manufacturer UDM field. |
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。