收集 Jamf Protect Telemetry V2 記錄
本文說明如何設定 Google Security Operations 資訊提供,以收集 Jamf Protect Telemetry V2 記錄。這份文件詳細說明如何將 Jamf Protect Telemetry V2 記錄檔欄位對應至 Google SecOps 中的統一資料模型 (UDM) 欄位,並列出支援的 Jamf Protect Telemetry V2 版本。
詳情請參閱「將資料擷取至 Google SecOps」。
一般部署作業包含 Jamf Protect Telemetry V2,以及設定為將記錄傳送至 Google SecOps 的 Google SecOps 資訊提供。每個客戶的部署作業可能有所不同,也可能更複雜。
部署作業包含下列元件:
Jamf Protect Telemetry V2。您要從中收集記錄的 Jamf Protect Telemetry V2 平台。
Google SecOps 動態消息。Google SecOps 動態消息,可從 Jamf Protect Telemetry 擷取記錄,並將記錄寫入 Google SecOps。
Google SecOps。Google SecOps 會保留及分析 Jamf Protect Telemetry V2 的記錄。
每個記錄檔都會使用特定剖析器,標準化為統合式資料模型 (UDM)。本文中的資訊適用於與 JAMF_TELEMETRY_V2 攝取標籤相關聯的剖析器。
事前準備
- 確認您已設定最新版的 Jamf Protect Telemetry V2。
- 確認您使用的是 Jamf Protect 6.3.2 以上版本。
- 請確保部署架構中的所有系統都已設定為世界標準時間時區。
在 Google SecOps 中設定資訊提供,擷取 Jamf Protect Telemetry V2 記錄
您可以使用 Amazon S3 或 Webhook 在 Google SecOps 中設定擷取動態饋給,但建議使用 Amazon S3。
使用 Amazon S3 在 Google SecOps 中設定擷取動態饋給
- 依序前往「SIEM 設定」>「動態消息」。
- 按一下 [Add New] (新增)。
- 選取「Amazon S3」做為「來源類型」。
- 選取「Jamf Protect Telemetry V2」做為「記錄類型」,為 Jamf Protect Telemetry V2 建立動態饋給。
- 點選「下一步」。
- 設定下列輸入參數:
- S3 URI:指向 S3 容器的 URI。
- URI 是:URI 指出的物件類型。
- 來源刪除選項:是否要在轉移後刪除檔案或目錄。
- 選取「存取金鑰」或「私密存取金鑰」:選擇適當的憑證類型。
- 金鑰/權杖:存取 S3 資源的共用金鑰或 SAS 權杖。
- 依序點選「下一步」和「提交」。
- 從動態饋給名稱複製動態饋給 ID,以便在 Jamf Protect Telemetry V2 中使用。
使用 Webhook 在 Google SecOps 中設定擷取動態饋給
- 依序前往「SIEM 設定」>「動態消息」。
- 按一下「新增」。
- 在「動態饋給名稱」欄位中,輸入動態饋給名稱。
- 在「Source type」(來源類型) 清單中,選取「Webhook」(Webhook)。
- 選取「Jamf Protect Telemetry V2」做為「記錄類型」,為 Jamf Protect Telemetry V2 建立動態饋給。
- 點選「下一步」。
- 選用:指定下列輸入參數的值:
- 分割分隔符號:用於分隔記錄行的分隔符號,例如
\n
。 - 資產命名空間:資產命名空間。
- 擷取標籤:要套用至這個動態饋給事件的標籤。
- 分割分隔符號:用於分隔記錄行的分隔符號,例如
- 點選「下一步」。
- 在「Finalize」畫面上檢查新的動態饋給設定,然後按一下「Submit」。
- 按一下「產生密鑰」,產生驗證這個動態消息的密鑰。
- 複製並妥善儲存「密鑰」。您無法再次查看這個密鑰。如有需要,您可以重新產生新的密鑰,但這項操作會使先前的密鑰失效。
- 在「詳細資料」分頁中,從「端點資訊」欄位複製動態消息端點網址。您需要這個 HTTPS 網址,才能設定 Jamf Protect Telemetry V2 用戶端應用程式。
- 按一下 [完成]。
為 Webhook 動態饋給建立 API 金鑰
依序前往 Google Cloud 控制台 >「憑證」。
按一下 [Create credentials] (建立憑證),然後選取 [API key] (API 金鑰)。
將 API 金鑰存取權限制在 Google Security Operations API。
為 Webhook 饋給設定 Jamf Protect Telemetry V2
- 在 Jamf Protect Telemetry V2 應用程式中,前往相關的「動作設定」。
- 按一下「建立動作」,新增資料端點。
- 選取「HTTP」做為通訊協定。
- 在「URL」欄位中,輸入 Google Security Operations API 端點的 HTTPS 網址。(這是您從 Webhook 摘要設定複製的「端點資訊」欄位。(已經是所需格式)。
指定 API 金鑰和密鑰,以啟用驗證,格式如下:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRET
建議:請將 API 金鑰指定為標頭,而非在網址中指定。如果 Webhook 用戶端不支援自訂標頭,您可以使用查詢參數指定 API 金鑰和密鑰,格式如下:
ENDPOINT_URL?key=API_KEY&secret=SECRET
更改下列內容:
ENDPOINT_URL
:動態消息端點網址。API_KEY
:用於向 Google Security Operations 進行驗證的 API 金鑰。SECRET
:您產生的密鑰,用於驗證動態饋給。
在「收集記錄」部分中,選取「遙測」。
按一下「提交」。
如要進一步瞭解 Google SecOps 動態消息,請參閱 Google SecOps 動態消息說明文件。如要瞭解各動態饋給類型的規定,請參閱「依類型設定動態饋給」。
如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。
欄位對應參考資料
本節說明 Google SecOps 剖析器如何將 Jamf Protect Telemetry V2 欄位對應至 Google SecOps 統一資料模型 (UDM) 欄位。
欄位對應參照:事件 ID 對應至事件類型
下表列出JAMF_TELEMETRY_V2
記錄類型及其對應的 UDM 事件類型。
Event Identifier | Event Type |
---|---|
authentication |
USER_LOGIN |
bios_uefi |
STATUS_UPDATE |
btm_launch_item_add |
PROCESS_LAUNCH |
btm_launch_item_remove |
PROCESS_TERMINATION |
chroot |
FILE_MODIFICATION |
cs_invalidated |
STATUS_UPDATE |
exec |
PROCESS_LAUNCH |
file_collection |
STATUS_UPDATE |
gatekeeper_user_override |
STATUS_UPDATE |
kextload |
STATUS_UPDATE |
kextunload |
STATUS_UPDATE |
log_collection |
STATUS_UPDATE |
login_login |
USER_LOGIN |
login_logout |
USER_LOGOUT |
lw_session_lock |
USER_LOGOUT |
lw_session_login |
USER_LOGIN |
lw_session_logout |
USER_LOGOUT |
lw_session_unlock |
USER_LOGIN |
mount |
STATUS_UPDATE |
od_attribute_set |
USER_RESOURCE_UPDATE_CONTENT |
od_attribute_value_add |
STATUS_UPDATE |
od_attribute_value_remove |
USER_RESOURCE_DELETION |
od_create_group |
GROUP_CREATION |
od_create_user |
USER_CREATION |
od_delete_group |
GROUP_DELETION |
od_delete_user |
USER_DELETION |
od_disable_user |
USER_UNCATEGORIZED |
od_enable_user |
USER_UNCATEGORIZED |
od_group_add |
GROUP_MODIFICATION |
od_group_remove |
GROUP_MODIFICATION |
od_group_set |
GROUP_MODIFICATION |
od_modify_password |
USER_CHANGE_PASSWORD |
openssh_login |
USER_LOGIN |
openssh_logout |
USER_LOGOUT |
sudo |
STATUS_UPDATE |
system_performance |
STATUS_UPDATE |
unmount |
STATUS_UPDATE |
profile_add |
SETTING_CREATION |
profile_remove |
SETTING_DELETION |
remount |
RESOURCE_CREATION |
screensharing_attach |
USER_LOGIN |
screensharing_detach |
USER_LOGOUT |
settime |
STATUS_UPDATE |
su |
USER_LOGIN |
xp_malware_detected |
SCAN_FILE |
xp_malware_remediated |
SCAN_FILE |
欄位對應參考資料:JAMF_TELEMETRY_V2 - Common Fields
下表列出 JAMF_TELEMETRY_V2
記錄類型常見的欄位,以及對應的 UDM 欄位。
Log field | UDM mapping | Logic |
---|---|---|
action.result.result.auth |
security_result.action |
If the **event_type** log field value is < `8000`, and not equal to `113` or `112`, and the **action.result.result.auth** field is equal to **1**, then set `security_result.action` to **BLOCK**. Else, set `security_result.action` to **ALLOW** |
|
principal.platform |
The principal.platform UDM field is set to MAC . |
uuid |
metadata.product_log_id |
|
time |
metadata.event_timestamp |
|
metadata.product |
metadata.product_name |
|
host.protectVersion |
metadata.product_version |
|
metadata.vendor |
metadata.vendor_name |
|
host.hostname |
principal.asset.hostname |
|
host.os |
principal.platform_version |
|
host.provisioningUDID |
principal.asset_id |
|
host.serial |
principal.asset.hardware.serial_number |
|
host.ips |
principal.ip |
Iterate through log field host.ips , then host.ips log field is mapped to the principal.ip UDM field. |
event_type |
additional.fields[event_type] |
|
global_seq_num |
additional.fields[global_seq_num] |
|
process.executable.path |
src.process.file.full_path |
|
process.executable.stat.st_dev |
src.process.file.stat_dev |
|
process.executable.stat.st_flags |
src.process.file.stat_flags |
|
process.executable.stat.st_ino |
src.process.file.stat_inode |
|
process.executable.stat.st_mode |
src.process.file.stat_mode |
|
process.executable.stat.st_mtimespec |
src.process.file.last_modification_time |
|
process.executable.stat.st_atimespec |
src.process.file.last_access_time |
|
process.executable.stat.st_nlink |
src.process.file.stat_nlink |
|
process.executable.stat.st_size |
src.process.file.size |
|
process.executable.sha256 |
src.process.file.sha256 |
|
process.executable.sha1 |
src.process.file.sha1 |
|
process.signing_id |
src.process.file.signature_info.codesign.id |
|
process.team_id |
additional.fields[process_team_id] |
|
process.ppid |
additional.fields[process_ppid] |
|
process.codesigning_flags |
additional.fields[process_codesigning_flags] |
|
process.cdhash |
additional.fields[process_cdhash] |
|
process.is_platform_binary |
additional.fields[process_is_platform_binary] |
|
process.is_es_client |
additional.fields[process_is_es_client] |
|
process.group_id |
additional.fields[process_group_id] |
|
process.original_ppid |
additional.fields[process_original_ppid] |
|
process.session_id |
additional.fields[process_session_id] |
|
thread.uuid |
additional.fields[thread_uuid] |
|
thread.thread_id |
additional.fields[thread_id] |
|
seq_num |
additional.fields[seq_num] |
|
mach_time |
additional.fields[mach_time] |
|
version |
additional.fields[version] |
|
process.audit_token.euid |
src.process.euid |
|
process.audit_token.ruid |
src.process.ruid |
|
process.audit_token.egid |
src.process.egid |
|
process.audit_token.rgid |
src.process.rgid |
|
process.audit_token.pgid |
src.process.pgid |
|
process.audit_token.pid |
src.process.pid |
|
process.audit_token.uuid |
src.process.product_specific_process_id |
|
process.audit_token.signing_id |
additional.fields[process_audit_token_signing_id] |
|
process.parent_audit_token.euid |
src.process.parent_process.euid |
|
process.parent_audit_token.ruid |
src.process.parent_process.ruid |
|
process.parent_audit_token.egid |
src.process.parent_process.egid |
|
process.parent_audit_token.rgid |
src.process.parent_process.rgid |
|
process.parent_audit_token.pgid |
src.process.parent_process.pgid |
|
process.parent_audit_token.pid |
src.process.parent_process.pid |
|
process.parent_audit_token.uuid |
src.process.parent_process.product_specific_process_id |
|
process.parent_audit_token.signing_id |
src.process.parent_process.file.signature_info.codesign.id |
欄位對應參考資料:依據「event_type
」將原始記錄欄位對應至 UDM 欄位。
event_type: remount
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to remount . |
|
metadata.description |
A file system has been remounted. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to RESOURCE_CREATION . |
|
principal.user.userid |
The principal.user.userid UDM field is set to null . |
event.remount.statfs.f_owner |
target.user.userid |
|
event.remount.device.size |
target.file.size |
|
event.remount.statfs.f_fstypename |
target.resource.resource_subtype |
|
event.remount.statfs.f_mntfromname |
src.resource.name |
|
event.remount.statfs.f_mntonname |
target.resource.name |
event_type: screensharing_attach
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to screensharing_attach . |
|
metadata.description |
A screen sharing session has attached to a graphical session. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
event.screensharing_attach.source_address |
src.ip |
|
event.screensharing_attach.authentication_username |
target.user.user_display_name |
|
event.screensharing_attach.session_username |
principal.user.user_display_name |
|
event.screensharing_attach.viewer_appleid |
additional.fields[screensharing_attach.viewer_appleid] |
|
|
extensions.auth.mechanism |
The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE . |
|
security_result.category |
If the event.screensharing_attach.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION . |
event_type: su
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to su . |
|
metadata.description |
A user attempts to start a new shell using a substitute user identity. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE . |
event.su.argv |
target.process.command_line |
If the event.su.argc log field value is not equal to 0 then,iterate through log field event.su.argv , then event.su.argv log field is mapped to the target.process.command_line UDM field. |
event.su.to_uid |
target.user.userid |
|
event.su.to_username |
target.user.user_display_name |
|
event.su.from_uid |
principal.user.userid |
|
event.su.from_username |
principal.user.user_display_name |
event_type: settime
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to settime . |
|
metadata.description |
The system time was attempted to be set. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event_type: screensharing_detach
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to screensharing_detach . |
|
metadata.description |
A screen sharing session has detached from a graphical session. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT . |
|
target.user.user_display_name |
The target.user.user_display_name UDM field is set to null . |
event.screensharing_detach.source_address |
src.ip |
|
|
extensions.auth.mechanism |
The extensions.auth.mechanism UDM field is set to mechanism . |
event_type: xp_malware_remediated
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to xp_malware_remediated . |
|
metadata.description |
Apple's XProtect remediated malware on the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_FILE . |
action.result.result.auth |
security_result.action |
|
event.xp_malware_remediated.remediated_path |
target.file.full_path |
|
event.xp_malware_remediated.action_type |
additional.fields[xp_malware_remediated.action_type] |
|
event.xp_malware_remediated.success |
additional.fields[xp_malware_remediated.success] |
|
event.xp_malware_remediated.incident_identifier |
security_result.threat_id |
|
event.xp_malware_remediated.malware_identifier |
security_result.threat_name |
|
event.xp_malware_remediated.signature_version |
security_result.rule_id |
event_type: xp_malware_detected
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to xp_malware_detected . |
|
metadata.description |
Apple's XProtect detected malware on the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_FILE . |
action.result.result.auth |
security_result.action |
|
event.xp_malware_detected.detected_path |
target.file.full_path |
|
event.xp_malware_detected.incident_identifier |
security_result.threat_id |
|
event.xp_malware_detected.malware_identifier |
security_result.threat_name |
event_type: authentication
Log field | UDM mapping | Logic |
---|---|---|
|
Check additional fields in conf |
|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to authentication . |
|
metadata.description |
A user authentication has occurred. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
event.authentication.data.od.instigator.audit_token.pid |
principal.process.pid |
|
event.authentication.data.od.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
JamfProtect:%{event.authentication.data.od.instigator.audit_token.uuid} log field is mapped to the principal.process.product_specific_process_id UDM field. |
event.authentication.data.od.instigator.audit_token.euid |
principal.process.euid |
|
event.authentication.data.od.instigator.audit_token.ruid |
principal.process.ruid |
|
event.authentication.data.od.instigator.audit_token.rgid |
principal.process.rgid |
|
event.authentication.data.od.instigator.audit_token.pgid |
principal.process.pgid |
|
event.authentication.data.od.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.authentication.data.od.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.authentication.data.od.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.authentication.data.od.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.authentication.data.od.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.authentication.data.od.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.authentication.data.od.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.authentication.data.od.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
JamfProtect:%{event.authentication.data.od.instigator.parent_audit_token.uuid} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
event.authentication.data.od.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.authentication.data.od.instigator.executable.path |
principal.process.file.full_path |
|
event.authentication.data.od.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.authentication.data.od.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.authentication.data.od.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.authentication.data.od.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.authentication.data.od.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.authentication.data.od.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.authentication.data.od.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.authentication.data.od.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.authentication.data.od.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.authentication.data.od.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.authentication.data.od.instigator.signing_id |
additional.fields[authentication_data_od_instigator_signing_id] |
|
event.authentication.data.od.instigator.team_id |
additional.fields[authentication_data_od_instigator_team_id] |
|
event.authentication.data.od.instigator.ppid |
rincipal.process.parent_process.pid |
|
event.authentication.data.od.instigator.codesigning_flags |
additional.fields[codesigning_flags] |
|
event.authentication.data.od.instigator.cdhash |
additional.fields[cdhash] |
|
event.authentication.data.od.instigator.is_platform_binary |
additional.fields[is_platform_binary] |
|
event.authentication.data.od.instigator.is_es_client |
additional.fields[is_es_client] |
|
event.authentication.data.od.instigator.group_id |
additional.fields[group_id] |
|
event.authentication.data.od.instigator.original_ppid |
additional.fields[original_ppid] |
|
event.authentication.data.od.instigator.session_id |
additional.fields[session_id] |
|
event.authentication.data.touchid.instigator.audit_token.euid |
principal.process.euid |
|
event.authentication.data.touchid.instigator.audit_token.ruid |
principal.process.ruid |
|
event.authentication.data.touchid.instigator.audit_token.egid |
principal.process.egid |
|
event.authentication.data.touchid.instigator.audit_token.rgid |
principal.process.rgid |
|
event.authentication.data.touchid.instigator.audit_token.pgid |
principal.process.pgid |
|
event.authentication.data.touchid.instigator.audit_token.pid |
principal.process.pid |
|
event.authentication.data.touchid.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.authentication.data.touchid.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.authentication.data.touchid.instigator.parent_audit_token.euid |
principal.parent_process.parent_process.euid |
|
event.authentication.data.touchid.instigator.parent_audit_token.ruid |
principal.parent_process.parent_process.ruid |
|
event.authentication.data.touchid.instigator.parent_audit_token.egid |
principal.parent_process.parent_process.egid |
|
event.authentication.data.touchid.instigator.parent_audit_token.rgid |
principal.parent_process.parent_process.rgid |
|
event.authentication.data.touchid.instigator.parent_audit_token.pgid |
principal.parent_process.parent_process.pgid |
|
event.authentication.data.touchid.instigator.parent_audit_token.pid |
principal.parent_process.parent_process.pid |
|
event.authentication.data.touchid.instigator.parent_audit_token.uuid |
principal.parent_process.product_specific_process_id |
|
event.authentication.data.touchid.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.authentication.data.touchid.instigator.executable.path |
principal.process.file.full_path |
|
event.authentication.data.touchid.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.authentication.data.touchid.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.authentication.data.touchid.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.authentication.data.touchid.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.authentication.data.touchid.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.authentication.data.touchid.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.authentication.data.touchid.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.authentication.data.touchid.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.authentication.data.touchid.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.authentication.data.touchid.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.authentication.data.touchid.instigator.signing_id |
additional.fields[authentication_data_touch_id_instigator_signing_id] |
|
event.authentication.data.touchid.instigator.team_id |
additional.fields[authentication_data_touch_id_instigator_team_id] |
|
event.authentication.data.touchid.instigator.ppid |
additional.fields[authentication_data_touch_id_instigator_ppid] |
|
event.authentication.data.touchid.instigator.codesigning_flags |
additional.fields[touchid_instigator_codesigning_flags] |
|
event.authentication.data.touchid.instigator.cdhash |
additional.fields[touchid_instigator_cdhash] |
|
event.authentication.data.touchid.instigator.is_platform_binary |
additional.fields[touchid_instigator_is_platform_binary] |
|
event.authentication.data.touchid.instigator.is_es_client |
additional.fields[touchid_instigator_is_es_client] |
|
event.authentication.data.touchid.instigator.group_id |
additional.fields[touchid_instigator_group_id] |
|
event.authentication.data.touchid.instigator.original_ppid |
additional.fields[touchid_instigator_original_ppid] |
|
event.authentication.data.touchid.instigator.session_id |
additional.fields[touchid_instigator_session_id] |
|
event.authentication.data.token.instigator.audit_token.euid |
principal.process.euid |
|
event.authentication.data.token.instigator.audit_token.ruid |
principal.process.ruid |
|
event.authentication.data.token.instigator.audit_token.egid |
principal.process.egid |
|
event.authentication.data.token.instigator.audit_token.rgid |
principal.process.rgid |
|
event.authentication.data.token.instigator.audit_token.pgid |
principal.process.pgid |
|
event.authentication.data.token.instigator.audit_token.pid |
principal.process.pid |
|
event.authentication.data.token.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.authentication.data.token.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.authentication.data.token.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.authentication.data.token.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.authentication.data.token.instigator.parent_audit_token.egid |
process.parent_process.egid |
|
event.authentication.data.token.instigator.parent_audit_token.rgid |
process.parent_process.rgid |
|
event.authentication.data.token.instigator.parent_audit_token.pgid |
process.parent_process.pgid |
|
event.authentication.data.token.instigator.parent_audit_token.pid |
process.parent_process.pid |
|
event.authentication.data.token.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.authentication.data.token.instigator.parent_audit_token.signing_id |
process.parent_process.file.signature_info.codesign.id |
|
event.authentication.data.token.instigator.executable.path |
principal.process.file.full_path |
|
event.authentication.data.token.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.authentication.data.token.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.authentication.data.token.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.authentication.data.token.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.authentication.data.token.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.authentication.data.token.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.authentication.data.token.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.authentication.data.token.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.authentication.data.token.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.authentication.data.token.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.authentication.data.token.instigator.signing_id |
additional.fields[authentication_data_token_instigator_signing_id] |
|
event.authentication.data.token.instigator.team_id |
additional.fields[authentication_data_token_instigator_team_id] |
|
event.authentication.data.token.instigator.ppid |
additional.fields[authentication_data_token_instigator_ppid] |
|
event.authentication.data.token.instigator.codesigning_flags |
additional.fields[instigator_codesigning_flags] |
|
event.authentication.data.token.instigator.cdhash |
additional.fields[instigator_cdhash] |
|
event.authentication.data.token.instigator.is_platform_binary |
additional.fields[instigator_is_platform_binary] |
|
event.authentication.data.token.instigator.is_es_client |
additional.fields[instigator_is_es_client] |
|
event.authentication.data.token.instigator.group_id |
additional.fields[instigator_group_id] |
|
event.authentication.data.token.instigator.original_ppid |
additional.fields[instigator_original_ppid] |
|
event.authentication.data.token.instigator.session_id |
additional.fields[instigator_session_id] |
|
event.authentication.data.od.record_name |
target.user.user_display_name |
|
event.authentication.data.od.db_path |
additional.fields[db_path] |
|
event.authentication.data.od.node_name |
additional.fields[node_name] |
|
event.authentication.data.od.record_type |
additional.fields[record_type] |
|
event.authentication.data.touchid.uid |
target.user.userid |
|
event.authentication.data.touchid.touchid_mode |
additional.fields[authentication_data_touchid_touchid_mode] |
|
event.authentication.data.token.pubkey_hash |
additional.fields[authentication_data_token_pubkey_hash] |
|
event.authentication.data.token.token_id |
additional.fields[authentication_data_token_token_id] |
|
event.authentication.data.token.kerberos_principal |
additional.fields[authentication_data_token_kerberos_principal] |
|
event.authentication.data.auto_unlock.username |
target.user.user_display_name |
|
event.authentication.data.auto_unlock.type |
additional.fields[authentication_data_auto_unlock_type] |
|
event.authentication.type |
extensions.auth.mechanism |
If the event.authentication.type log field value is equal to 0 then, the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD .Else If the event.authentication.type log field value is equal to 1 then, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER .Else If the event.authentication.type log field value is equal to 2 then, the extensions.auth.mechanism UDM field is set to HARDWARE_KEY . Else, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER . |
event.authentication.success |
security_result.category |
If the event.authentication.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION . |
event_type: btm_launch_item_add
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to btm_launch_item_add . |
|
metadata.description |
Apple's Background Task Manager notifies that a new persistence item has been added. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to PROCESS_LAUNCH . |
event.btm_launch_item_add.instigator.audit_token.euid |
principal.process.euid |
|
event.btm_launch_item_add.instigator.audit_token.ruid |
principal.process.ruid |
|
event.btm_launch_item_add.instigator.audit_token.egid |
principal.process.egid |
|
event.btm_launch_item_add.instigator.audit_token.rgid |
principal.process.rgid |
|
event.btm_launch_item_add.instigator.audit_token.pgid |
principal.process.pgid |
|
event.btm_launch_item_add.instigator.audit_token.pid |
principal.process.pid |
|
event.btm_launch_item_add.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.btm_launch_item_add.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.btm_launch_item_add.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.btm_launch_item_add.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.btm_launch_item_add.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.btm_launch_item_add.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.btm_launch_item_add.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.btm_launch_item_add.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.btm_launch_item_add.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.btm_launch_item_add.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.btm_launch_item_add.instigator.executable.path |
principal.process.file.full_path |
|
event.btm_launch_item_add.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.btm_launch_item_add.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.btm_launch_item_add.instigator.executable.stat.stat_inode |
principal.process.file.stat_inode |
|
event.btm_launch_item_add.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.btm_launch_item_add.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.btm_launch_item_add.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.btm_launch_item_add.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.btm_launch_item_add.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.btm_launch_item_add.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.btm_launch_item_add.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.btm_launch_item_add.instigator.signing_id |
additional.fields[btm_launch_item_add_data_token_instigator_signing_id] |
|
event.btm_launch_item_add.instigator.team_id |
additional.fields[btm_launch_item_add_data_token_instigator_team_id] |
|
event.btm_launch_item_add.instigator.ppid |
additional.fields[btm_launch_item_add_data_token_instigator_ppid] |
|
event.btm_launch_item_add.instigator.codesigning_flags |
additional.fields[btm_launch_item_add_instigator_codesigning_flags] |
|
event.btm_launch_item_add.instigator.cdhash |
additional.fields[btm_launch_item_add_instigator_cdhash] |
|
event.btm_launch_item_add.instigator.is_platform_binary |
additional.fields[btm_launch_item_add_instigator_is_platform_binary] |
|
event.btm_launch_item_add.instigator.is_es_client |
additional.fields[btm_launch_item_add_instigator_is_es_client] |
|
event.btm_launch_item_add.instigator.group_id |
additional.fields[btm_launch_item_add_instigator_group_id] |
|
event.btm_launch_item_add.instigator.original_ppid |
additional.fields[btm_launch_item_add_instigator_original_ppid] |
|
event.btm_launch_item_add.instigator.session_id |
additional.fields[btm_launch_item_add_instigator_session_id] |
|
event.btm_launch_item_add.app.audit_token.euid |
target.process.euid |
|
event.btm_launch_item_add.app.audit_token.ruid |
target.process.ruid |
|
event.btm_launch_item_add.app.audit_token.egid |
target.process.egid |
|
event.btm_launch_item_add.app.audit_token.rgid |
target.process.rgid |
|
event.btm_launch_item_add.app.audit_token.pgid |
target.process.pgid |
|
event.btm_launch_item_add.app.audit_token.pid |
target.process.pid |
|
event.btm_launch_item_add.app.audit_token.uuid |
target.process.product_specific_process_id |
|
event.btm_launch_item_add.app.audit_token.signing_id |
target.process.file.signature_info.codesign.id |
|
event.btm_launch_item_add.app.parent_audit_token.euid |
target.process.parent_process.euid |
|
event.btm_launch_item_add.app.parent_audit_token.ruid |
target.process.parent_process.ruid |
|
event.btm_launch_item_add.app.parent_audit_token.egid |
target.process.parent_process.egid |
|
event.btm_launch_item_add.app.parent_audit_token.rgid |
target.process.parent_process.rgid |
|
event.btm_launch_item_add.app.parent_audit_token.pid |
target.process.parent_process.pid |
|
event.btm_launch_item_add.app.parent_audit_token.uuid |
target.process.parent_process.product_specific_process_id |
|
event.btm_launch_item_add.app.parent_audit_token.signing_id |
target.process.parent_process.file.signature_info.codesign.id |
|
event.btm_launch_item_add.app.executable.path |
target.process.file.full_path |
|
event.btm_launch_item_add.app.executable.stat.st_dev |
target.process.file.stat_dev |
|
event.btm_launch_item_add.app.executable.stat.st_flags |
target.process.file.stat_flags |
|
event.btm_launch_item_add.app.executable.stat.st_ino |
target.process.file.stat_inode |
|
event.btm_launch_item_add.app.executable.stat.st_mode |
target.process.file.stat_mode |
|
event.btm_launch_item_add.app.executable.stat.st_mtimespec |
target.process.file.last_modification_time |
|
event.btm_launch_item_add.app.executable.stat.st_atimespec |
target.process.file.last_access_time |
|
event.btm_launch_item_add.app.executable.stat.st_nlink |
target.process.file.stat_nlink |
|
event.btm_launch_item_add.app.executable.stat.st_size |
target.process.file.size |
|
event.btm_launch_item_add.app.executable.sha256 |
target.process.file.sha256 |
|
event.btm_launch_item_add.app.executable.sha1 |
target.process.file.sha1 |
|
event.btm_launch_item_add.app.signing_id |
additional.fields[btm_launch_item_add_app_signing_id] |
|
event.btm_launch_item_add.app.team_id |
additional.fields[btm_launch_item_add_app_team_id] |
|
event.btm_launch_item_add.app.ppid |
additional.fields[btm_launch_item_add_app_ppid] |
|
event.btm_launch_item_add.app.codesigning_flags |
additional.fields[btm_launch_item_add_app_codesigning_flags] |
|
event.btm_launch_item_add.app.cdhash |
additional.fields[btm_launch_item_add_app_cdhash] |
|
event.btm_launch_item_add.app.is_platform_binary |
additional.fields[btm_launch_item_add_app_is_platform_binary] |
|
event.btm_launch_item_add.app.is_es_client |
additional.fields[btm_launch_item_add_app_is_es_client] |
|
event.btm_launch_item_add.app.group_id |
additional.fields[btm_launch_item_add_app_group_id] |
|
event.btm_launch_item_add.app.original_ppid |
additional.fields[btm_launch_item_add_app_group_id] |
|
event.btm_launch_item_add.app.session_id |
additional.fields[btm_launch_item_add_app_session_id] |
|
event.btm_launch_item_add.executable_path |
target.file.full_path |
If the event.btm_launch_item_add.item.item_type log field value is equal to 4 or the event.btm_launch_item_add.item.item_type log field value is equal to 3 and if the event.btm_launch_item_add.executable_path log field value is not empty and if the event.btm_launch_item_add.executable_path log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.executable_path log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_add.executable_path log field is mapped to the target.file.full_path UDM field. Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.executable_path} log field is mapped to the target.file.full_path UDM field.Else If the event.btm_launch_item_add.item.item_url log field value is not empty and if the event.btm_launch_item_add.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_add.item.item_url log field is mapped to the target.resource.name UDM field. Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url} log field is mapped to the target.resource.name UDM field. |
event.btm_launch_item_add.item.item_url |
target.file.full_path |
If the event.btm_launch_item_add.item.item_type log field value is equal to 0 or the event.btm_launch_item_add.item.item_type log field value is equal to 1 or the event.btm_launch_item_add.item.item_type log field value is equal to 2 and if the event.btm_launch_item_add.item.item_url log field value is not empty and if the event.btm_launch_item_add.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then the event.btm_launch_item_add.item.item_url log field is mapped to the target.file.full_path UDM field. Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url} log field is mapped to the target.file.full_path UDM field. |
event.btm_launch_item_add.item.uid |
target.user.userid |
|
event.btm_launch_item_add.item.item_type |
target.application |
If the event.btm_launch_item_add.item.item_type log field value is equal to 0 then, the target.application UDM field is set to USER_ITEM . Else, if event.btm_launch_item_add.item.item_type log field value is equal to 1 then, the target.application UDM field is set to APP . Else, if event.btm_launch_item_add.item.item_type log field value is equal to 2 then, the target.application UDM field is set to LOGIN_ITEM . Else, if event.btm_launch_item_add.item.item_type log field value is equal to 3 then, the target.application UDM field is set to AGENT . Else, if event.btm_launch_item_add.item.item_type log field value is equal to 4 then, the target.application UDM field is set to DAEMON . |
event.btm_launch_item_add.item.managed |
additional.fields[btm_launch_item_add_item_managed] |
|
event.btm_launch_item_add.item.legacy |
additional.fields[btm_launch_item_add_item_legacy] |
event_type: btm_launch_item_remove
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to btm_launch_item_remove . |
|
metadata.description |
Apple's Background Task Manager notified that an item has been removed. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to PROCESS_TERMINATION . |
event.btm_launch_item_remove.instigator.audit_token.euid |
principal.process.euid |
|
event.btm_launch_item_remove.instigator.audit_token.ruid |
principal.process.ruid |
|
event.btm_launch_item_remove.instigator.audit_token.egid |
principal.process.egid |
|
event.btm_launch_item_remove.instigator.audit_token.rgid |
principal.process.rgid |
|
event.btm_launch_item_remove.instigator.audit_token.pgid |
principal.process.pgid |
|
event.btm_launch_item_remove.instigator.audit_token.pid |
principal.process.pid |
|
event.btm_launch_item_remove.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.btm_launch_item_remove.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.btm_launch_item_remove.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.btm_launch_item_remove.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.btm_launch_item_remove.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.btm_launch_item_remove.instigator.executable.path |
principal.process.file.full_path |
|
event.btm_launch_item_remove.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.btm_launch_item_remove.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.btm_launch_item_remove.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.btm_launch_item_remove.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.btm_launch_item_remove.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.btm_launch_item_remove.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.btm_launch_item_remove.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.btm_launch_item_remove.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.btm_launch_item_remove.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.btm_launch_item_remove.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.btm_launch_item_remove.instigator.codesigning_flags |
additional.fields[btm_launch_item_remove_instigator_codesigning_flags] |
|
event.btm_launch_item_remove.instigator.cdhash |
additional.fields[btm_launch_item_remove_instigator_cdhash] |
|
event.btm_launch_item_remove.instigator.is_es_client |
additional.fields[btm_launch_item_remove_instigator_is_es_client] |
|
event.btm_launch_item_remove.instigator.group_id |
additional.fields[btm_launch_item_remove_instigator_group_id] |
|
event.btm_launch_item_remove.instigator.original_ppid |
additional.fields[btm_launch_item_remove_instigator_original_ppid] |
|
event.btm_launch_item_remove.instigator.session_id |
additional.fields[btm_launch_item_remove_instigator_session_id] |
|
event.btm_launch_item_remove.app.audit_token.euid |
target.process.euid |
|
event.btm_launch_item_remove.app.audit_token.ruid |
target.process.ruid |
|
event.btm_launch_item_remove.app.audit_token.egid |
target.process.egid |
|
event.btm_launch_item_remove.app.audit_token.rgid |
target.process.rgid |
|
event.btm_launch_item_remove.app.audit_token.pgid |
target.process.pgid |
|
event.btm_launch_item_remove.app.audit_token.pid |
target.process.pid |
|
event.btm_launch_item_remove.app.audit_token.uuid |
target.process.product_specific_process_id |
|
event.btm_launch_item_remove.app.audit_token.signing_id |
target.process.file.signature_info.codesign.id |
|
event.btm_launch_item_remove.app.parent_audit_token.euid |
target.process.parent_process.euid |
|
event.btm_launch_item_remove.app.parent_audit_token.ruid |
target.process.parent_process.ruid |
|
event.btm_launch_item_remove.app.parent_audit_token.egid |
target.process.parent_process.egid |
|
event.btm_launch_item_remove.app.parent_audit_token.rgid |
target.process.parent_process.rgid |
|
event.btm_launch_item_remove.app.parent_audit_token.pgid |
target.process.parent_process.pgid |
|
event.btm_launch_item_remove.app.parent_audit_token.pid |
target.process.parent_process.pid |
|
event.btm_launch_item_remove.app.parent_audit_token.uuid |
target.process.parent_process.product_specific_process_id |
|
event.btm_launch_item_remove.app.executable.path |
target.process.file.full_path |
|
event.btm_launch_item_remove.app.executable.stat.st_dev |
target.process.file.stat_dev |
|
event.btm_launch_item_remove.app.executable.stat.st_flags |
target.process.file.stat_flags |
|
event.btm_launch_item_remove.app.executable.stat.st_ino |
target.process.file.stat_inode |
|
event.btm_launch_item_remove.app.executable.stat.st_mode |
target.process.file.stat_mode |
|
event.btm_launch_item_remove.app.executable.stat.st_mtimespec |
target.process.file.last_modification_time |
|
event.btm_launch_item_remove.app.executable.stat.st_atimespec |
target.process.file.last_access_time |
|
event.btm_launch_item_remove.app.executable.stat.st_nlink |
target.process.file.stat_nlink |
|
event.btm_launch_item_remove.app.executable.stat.st_size |
target.process.file.size |
|
event.btm_launch_item_remove.app.executable.sha256 |
target.process.file.sha256 |
|
event.btm_launch_item_remove.app.executable.sha1 |
target.process.file.sha1 |
|
event.btm_launch_item_remove.app.signing_id |
additional.fields[btm_launch_item_remove_app_signing_id] |
|
event.btm_launch_item_remove.app.team_id |
additional.fields[btm_launch_item_remove_app_team] |
|
event.btm_launch_item_remove.app.ppid |
additional.fields[btm_launch_item_remove_app_ppid] |
|
event.btm_launch_item_remove.app.codesigning_flags |
additional.fields[btm_launch_item_remove_app_codesigning_flags] |
|
event.btm_launch_item_remove.app.cdhash |
additional.fields[btm_launch_item_remove_app_cdhash] |
|
event.btm_launch_item_remove.app.is_platform_binary |
additional.fields[additional.fields[btm_launch_item_remove_app_cdhash]] |
|
event.btm_launch_item_remove.app.is_es_client |
additional.fields[additional.fields[btm_launch_item_remove_app_is_es_client]] |
|
event.btm_launch_item_remove.app.group_id |
additional.fields[additional.fields[btm_launch_item_remove_app_group_id]] |
|
event.btm_launch_item_remove.app.original_ppid |
additional.fields[additional.fields[btm_launch_item_remove_app_original_ppid]] |
|
event.btm_launch_item_remove.app.session_id |
additional.fields[additional.fields[btm_launch_item_remove_app_session_id]] |
|
event.btm_launch_item_remove.item.app_url |
target.file.full_path |
If the event.btm_launch_item_remove.item.item_url log field value is not empty and if the event.btm_launch_item_remove.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_remove.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_remove.item.item_url log field is mapped to the target.file.full_path UDM field. Else, %{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url} log field is mapped to the target.file.full_path UDM field. |
event.btm_launch_item_remove.item.item_url |
target.file.full_path |
If the event.btm_launch_item_remove.item.item_url log field value is not empty and if the event.btm_launch_item_remove.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_remove.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_remove.item.item_url log field is mapped to the target.file.full_path UDM field. Else, %{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url} log field is mapped to the target.file.full_path UDM field. |
event.btm_launch_item_remove.item.uid |
target.user.userid |
|
event.btm_launch_item_remove.executable_path |
target.file.full_path |
|
event.btm_launch_item_remove.item.item_type |
target.application |
If the event.btm_launch_item_remove.item.item_type log field value is equal to 0 then, the target.application UDM field is set to USER_ITEM . Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 1 then, the target.application UDM field is set to APP . Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 2 then, the target.application UDM field is set to LOGIN_ITEM . Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 3 then, the target.application UDM field is set to AGENT . Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 4 then, the target.application UDM field is set to DAEMON . |
event.btm_launch_item_remove.item.managed |
additional.fields[btm_launch_item_remove_item_managed] |
|
event.btm_launch_item_remove.item.legacy |
additional.fields[btm_launch_item_remove_item_legacy] |
|
event.btm_launch_item_remove.app.parent_audit_token.signing_id |
target.process.parent_process.file.signature_info.codesign.id |
event_type: chroot
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to chroot . |
|
metadata.description |
A piece of software has changed its apparent root directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to FILE_MODIFICATION . |
event.chroot.target.path |
target.file.full_path |
|
event.chroot.target.stat.st_dev |
target.file.stat_dev |
|
event.chroot.target.stat.st_flags |
target.file.stat_flags |
|
event.chroot.target.stat.st_ino |
target.file.stat_inode |
|
event.chroot.target.stat.st_mode |
target.file.stat_mode |
|
event.chroot.target.stat.st_mtimespec |
target.file.last_modification_time |
|
event.chroot.target.stat.st_atimespec |
target.file.last_access_time |
|
event.chroot.target.stat.st_nlink |
target.file.stat_nlink |
|
event.chroot.target.stat.st_size |
target.file.size |
|
event.chroot.target.sha256 |
target.file.sha256 |
|
event.chroot.target.sha1 |
target.file.sha1 |
event_type: exec
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to exec . |
|
metadata.description |
An executable has been loaded into memory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to PROCESS_LAUNCH . |
process.responsible_audit_token.euid |
principal.process.euid |
|
process.responsible_audit_token.ruid |
principal.process.ruid |
|
process.responsible_audit_token.egid |
principal.process.egid |
|
process.responsible_audit_token.rgid |
principal.process.rgid |
|
process.responsible_audit_token.pgid |
principal.process.pgid |
|
process.responsible_audit_token.pid |
principal.process.pid |
|
process.responsible_audit_token.uuid |
principal.process.product_specific_process_id |
|
process.responsible_audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.exec.target.audit_token.euid |
target.process.euid |
|
event.exec.target.audit_token.ruid |
target.process.ruid |
|
event.exec.target.audit_token.egid |
target.process.egid |
|
event.exec.target.audit_token.rgid |
target.process.rgid |
|
event.exec.target.audit_token.pgid |
target.process.pgid |
|
event.exec.target.audit_token.pid |
target.process.pid |
|
event.exec.target.audit_token.uuid |
target.process.product_specific_process_id |
|
event.exec.target.parent_audit_token.euid |
target.process.parent_process.euid |
|
event.exec.target.parent_audit_token.ruid |
target.process.parent_process.ruid |
|
event.exec.target.parent_audit_token.egid |
target.process.parent_process.egid |
|
event.exec.target.parent_audit_token.rgid |
target.process.parent_process.rgid |
|
event.exec.target.parent_audit_token.pgid |
target.process.parent_process.pgid |
|
event.exec.target.parent_audit_token.pid |
target.process.parent_process.pid |
|
event.exec.target.parent_audit_token.uuid |
target.process.parent_process.product_specific_process_id |
|
event.exec.target.parent_audit_token.signing_id |
target.process.parent_process.file.signature_info.codesign.id |
|
event.exec.target.executable.path |
target.process.file.full_path |
|
event.exec.target.executable.stat.st_dev |
target.process.file.stat_dev |
|
event.exec.target.executable.stat.st_flags |
target.process.file.stat_flags |
|
event.exec.target.executable.stat.st_ino |
target.process.file.stat_inode |
|
event.exec.target.executable.stat.st_mode |
target.process.file.stat_mode |
|
event.exec.target.executable.stat.st_mtimespec |
target.process.file.last_modification_time |
|
event.exec.target.executable.stat.st_atimespec |
target.process.file.last_access_time |
|
event.exec.target.executable.stat.st_nlink |
target.process.file.stat_nlink |
|
event.exec.target.executable.stat.st_size |
target.process.file.size |
|
event.exec.target.executable.sha256 |
target.process.file.sha256 |
|
event.exec.target.executable.sha1 |
target.process.file.sha1 |
|
event.exec.target.signing_id |
additional.fields[exec_target_signing_id] |
|
event.exec.target.team_id |
additional.fields[exec_target_team_id] |
|
event.exec.target.ppid |
additional.fields[exec_target_ppid] |
|
event.exec.target.codesigning_flags |
additional.fields[exec_target_codesigning_flags] |
|
event.exec.target.cdhash |
additional.fields[exec_target_cdhash] |
|
event.exec.target.is_platform_binary |
additional.fields[exec_target_is_platform_binary] |
|
event.exec.target.is_es_client |
additional.fields[exec_target_is_es_client] |
|
event.exec.target.group_id |
additional.fields[exec_target_group_id] |
|
event.exec.target.original_ppid |
additional.fields[exec_target_original_ppid] |
|
event.exec.target.session_id |
additional.fields[exec_target_session_id] |
|
event.exec.args |
target.process.command_line |
|
event.exec.cwd.path |
additional.fields[exec_cwd_path] |
|
event.exec.dyld_exec_path |
additional.fields[exec_dyld_exec_path] |
|
event.exec.script.path |
additional.fields[exec_script_path] |
|
event.exec.tty.path |
additional.fields[exec_tty_path] |
|
event.exec.image_cpusubtype |
additional.fields[exec_image_cpusubtype] |
|
event.exec.image_cputype |
additional.fields[exec_image_cputype] |
|
event.exec.target.audit_token.signing_id |
target.process.file.signature_info.codesign.id |
event_type: file_collection
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to file_collection . |
|
metadata.description |
Event occurs when data from a Diagnsostic or Crash Report file is collected from the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.file_collection.path |
target.file.path |
|
event.file_collection.size |
target.file.size |
|
event.file_collection.contents |
additional.fields[file_collection_contents] |
event_type: kextload
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to kextload . |
|
metadata.description |
A kernel extension (kext) was loaded. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.kextload.identifier |
target.resource.name |
event_type: kextunload
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to kextunload . |
|
metadata.description |
A kernel extension (kext) was unloaded. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.kextunload.identifier |
target.resource.name |
event_type: log_collection
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to log_collection . |
|
metadata.description |
Collection of entries from a local log file. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.log_collection.texts |
target.file.names |
|
event.log_collection.path.0 |
target.file.full_path |
event_type: login_login
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to login_login . |
|
metadata.description |
A user attempted to log in via /usr/bin/login. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE . |
event.login_login.uid |
target.user.userid |
|
event.login_login.username |
target.user.user_display_name |
|
event.login_login.success |
security_result.category |
If the event.login_login.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION . |
event.login_login.failure_message |
security_result.category_details |
If the event.login_login.success log field value is equal to false then, event.login_login.failure_message log field is mapped to the security_result.category_details UDM field. |
event_type: login_logout
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to login_logout . |
|
metadata.description |
A user logged out via /usr/bin/login. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT . |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE . |
event.login_logout.uid |
target.user.userid |
|
event.login_logout.username |
target.user.user_display_name |
event_type: lw_session_login
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to lw_session_login . |
|
metadata.description |
A user has logged in via the Login Window. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE . |
event.lw_session_login.username |
target.user.user_display_name |
event_type: bios_uefi
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to bios_uefi . |
|
metadata.description |
Information about the current version of bios and uefi on the device. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.bios_uefi.firmware-version |
additional.fields[bios_uefi_firmware_version] |
|
event.bios_uefi.system-firmware-version |
additional.fields[bios_uefi_system_firmware_version] |
|
event.bios_uefi.architecture |
additional.fields[bios_uefi_architecture] |
|
event.bios_uefi.bios.firmware-version |
additional.fields[bios_uefi_bios_firmware_version] |
|
event.bios_uefi.bios.vendor |
additional.fields[bios_uefi_bios_vendor] |
|
event.bios_uefi.bios.firmware-features |
additional.fields[bios_uefi_bios_firmware_features] |
|
event.bios_uefi.bios.rom-size |
additional.fields[bios_uefi_bios_rom_size] |
|
event.bios_uefi.bios.booter-version |
additional.fields[bios_uefi_bios_booter_version] |
event_type: cs_invalidated
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to cs_invalidated . |
|
metadata.description |
A process has had its code signature marked as invalid. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event_type: gatekeeper_user_override
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to gatekeeper_user_override . |
|
metadata.description |
A user overrides Gatekeeper. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.gatekeeper_user_override.file.path |
target.file.full_path |
|
event.gatekeeper_user_override.file.stat.st_dev |
target.file.stat_dev |
|
event.gatekeeper_user_override.file.stat.st_flags |
target.file.stat_flags |
|
event.gatekeeper_user_override.file.stat.st_ino |
target.file.stat_inode |
|
event.gatekeeper_user_override.file.stat.st_mode |
target.file.stat_mode |
|
event.gatekeeper_user_override.file.stat.st_mtimespec |
target.file.last_modification_time |
|
event.gatekeeper_user_override.file.stat.st_atimespec |
target.file.last_access_time |
|
event.gatekeeper_user_override.file.stat.st_nlink |
target.file.stat_nlink |
|
event.gatekeeper_user_override.file.stat.st_size |
target.file.size |
|
event.gatekeeper_user_override.file.sha256 |
target.file.sha256 |
|
event.gatekeeper_user_override.file.sha1 |
target.file.sha1 |
|
event.gatekeeper_user_override.signing_info.signing_id |
additional.fields[exec_gatekeeper_user_override_signing_info_signing_id] |
|
event.gatekeeper_user_override.signing_info.team_id |
additional.fields[gatekeeper_user_override_signing_info_team_id] |
|
event.gatekeeper_user_override.signing_info.cdhash |
additional.fields[gatekeeper_user_override_signing_info_cdhash] |
|
event.gatekeeper_user_override.file_type |
additional.fields[gatekeeper_user_override_file_type] |
|
event.gatekeeper_user_override.sha256 |
additional.fields[gatekeeper_user_override_sha256] |
event_type: lw_session_unlock
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to lw_session_unlock . |
|
metadata.description |
A user has unlocked the screen from the Login Window. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE . |
event.lw_session_unlock.username |
target.user.user_display_name |
event_type: lw_session_lock
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to lw_session_lock . |
|
metadata.description |
A user has locked the screen. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT . |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE . |
event.lw_session_lock.username |
target.user.user_display_name |
event_type: lw_session_logout
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to lw_session_logout . |
|
metadata.description |
A user has logged out of an active graphical session. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT . |
|
extensions.auth.type |
The extensions.auth.type UDM field is set to MACHINE . |
event.lw_session_logout.username |
target.user.user_display_name |
event_type: mount
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to mount . |
|
metadata.description |
A file system has been mounted. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.mount.statfs.f_owner |
principal.user.userid |
|
event.mount.device.size |
target.file.size |
|
event.mount.statfs.f_fstypename |
target.resource.resource_subtype |
|
event.mount.statfs.f_mntfromname |
src.resource.name |
|
event.mount.statfs.f_mntonname |
target.resource.name |
|
event.mount.device.protocol |
additional.fields[mount_device_protocol] |
|
event.mount.disposition |
additional.fields[mount_disposition] |
|
event.mount.device.serial_number |
target.asset.hardware.serial_number |
If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.serial_number log field is mapped to the target.asset.hardware.serial_number UDM field. |
event.mount.device.vendor_name |
target.asset.hardware.manufacturer |
If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.vendor_name log field is mapped to the target.asset.hardware.manufacturer UDM field. |
event.mount.device.device_model |
target.asset.hardware.model |
If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.device_model log field is mapped to the target.asset.hardware.model UDM field. |
event_type: od_attribute_set
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_attribute_set . |
|
metadata.description |
Attribute set on user or group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
event.od_attribute_set.instigator.audit_token.euid |
principal.process.euid |
|
event.od_attribute_set.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_attribute_set.instigator.audit_token.egid |
principal.process.egid |
|
event.od_attribute_set.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_attribute_set.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_attribute_set.instigator.audit_token.pid |
principal.process.pid |
|
event.od_attribute_set.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_attribute_set.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_attribute_set.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_attribute_set.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_attribute_set.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_attribute_set.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_attribute_set.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_attribute_set.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_attribute_set.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_attribute_set.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_attribute_set.instigator.executable.path |
principal.process.file.full_path |
|
event.od_attribute_set.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_attribute_set.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_attribute_set.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_attribute_set.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_attribute_set.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_attribute_set.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_attribute_set.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_attribute_set.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_attribute_set.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_attribute_set.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_attribute_set.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_attribute_set.instigator.signing_id |
additional.fields[od_attribute_set_instigator_signing_id] |
|
event.od_attribute_set.instigator.team_id |
additional.fields[od_attribute_set_instigator_team_id] |
|
event.od_attribute_set.instigator.ppid |
additional.fields[od_attribute_set_instigator_codesigning_flags] |
|
event.od_attribute_set.instigator.codesigning_flags |
additional.fields[od_attribute_set_instigator_ppid] |
|
event.od_attribute_set.instigator.cdhash |
additional.fields[od_attribute_set_instigator_cdhash] |
|
event.od_attribute_set.instigator.is_platform_binary |
additional.fields[od_attribute_set_instigator_is_platform_binary] |
|
event.od_attribute_set.instigator.is_es_client |
additional.fields[od_attribute_set_instigator_is_es_client] |
|
event.od_attribute_set.instigator.group_id |
additional.fields[od_attribute_set_instigator_group_id] |
|
event.od_attribute_set.instigator.original_ppid |
additional.fields[od_attribute_set_instigator_original_ppid] |
|
event.od_attribute_set.instigator.session_id |
additional.fields[od_attribute_set_instigator_session_id] |
|
event.od_attribute_set.attribute_name |
target.resource.resource_subtype |
|
event.od_attribute_value_add.attribute_value |
target.resource.name |
|
event.od_attribute_set.record_name |
target.user.user_display_name |
|
event.od_attribute_set.instigator_token.euid |
principal.user.userid |
|
event.od_attribute_set.db_path |
additional.fields[event_od_attribute_set_db_path] |
|
event.od_attribute_set.node_name |
additional.fields[event_od_attribute_set_node_name] |
|
event.od_attribute_set.record_type |
additional.fields[event_od_attribute_set_record_type] |
|
event.od_attribute_set.error_code |
additional.fields[event_od_attribute_set_error_code] |
event_type: od_attribute_value_add
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_attribute_value_add . |
|
metadata.description |
Attribute set on user or group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.od_attribute_value_add.instigator.audit_token.euid |
principal.process.euid |
|
event.od_attribute_value_add.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_attribute_value_add.instigator.audit_token.egid |
principal.process.egid |
|
event.od_attribute_value_add.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_attribute_value_add.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_attribute_value_add.instigator.audit_token.pid |
principal.process.pid |
|
event.od_attribute_value_add.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_attribute_value_add.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_attribute_value_add.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_attribute_value_add.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_attribute_value_add.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_attribute_value_add.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_attribute_value_add.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_attribute_set.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_attribute_value_add.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_attribute_value_add.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_attribute_value_add.instigator.executable.path |
principal.process.file.full_path |
|
event.od_attribute_value_add.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_attribute_value_add.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_attribute_value_add.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_attribute_value_add.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_attribute_value_add.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_attribute_value_add.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_attribute_value_add.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_attribute_value_add.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_attribute_value_add.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_attribute_value_add.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_attribute_value_add.instigator.signing_id |
additional.fields[od_attribute_value_add_instigator_signing_id] |
|
event.od_attribute_value_add.instigator.team_id |
additional.fields[od_attribute_value_add_instigator_team_id] |
|
event.od_attribute_value_add.instigator.ppid |
additional.fields[od_attribute_value_add_instigator_ppid] |
|
event.od_attribute_value_add.instigator.codesigning_flags |
additional.fields[od_attribute_set_instigator_codesigning_flags] |
|
event.od_attribute_value_add.instigator.cdhash |
additional.fields[od_attribute_value_add_instigator_codesigning_flags] |
|
event.od_attribute_value_add.instigator.is_platform_binary |
additional.fields[od_attribute_set_instigator_is_platform_binary] |
|
event.od_attribute_value_add.instigator.is_es_client |
additional.fields[od_attribute_value_add_instigator_is_es_client] |
|
event.od_attribute_value_add.instigator.group_id |
additional.fields[od_attribute_value_add_instigator_group_id] |
|
event.od_attribute_value_add.instigator.original_ppid |
additional.fields[od_attribute_value_add_instigator_original_pp] |
|
event.od_attribute_value_add.instigator.session_id |
additional.fields[od_attribute_value_add_instigator_session_id] |
|
event.od_attribute_value_add.attribute_name |
target.resource.resource_subtype |
|
event.od_attribute_value_add.attribute_value |
target.resource.name |
|
event.od_attribute_value_add.record_name |
target.user.user_display_name |
|
event.od_attribute_value_add.db_path |
additional.fields[od_attribute_value_add_db_path] |
|
event.od_attribute_value_add.node_name |
additional.fields[od_attribute_value_add_node_name] |
|
event.od_attribute_value_add.record_type |
additional.fields[od_attribute_value_add_record_type] |
|
event.od_attribute_value_add.error_code |
additional.fields[od_attribute_value_add_error_code] |
event_type: od_attribute_value_remove
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_attribute_value_remove . |
|
metadata.description |
Attribute removed from a user or group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_RESOURCE_DELETION . |
event.od_attribute_value_remove.instigator.audit_token.euid |
principal.process.euid |
|
event.od_attribute_value_remove.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_attribute_value_remove.instigator.audit_token.egid |
principal.process.egid |
|
event.od_attribute_value_remove.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_attribute_value_remove.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_attribute_value_remove.instigator.audit_token.pid |
principal.process.pid |
|
event.od_attribute_value_remove.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_attribute_value_remove.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_attribute_value_remove.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_attribute_value_remove.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_attribute_value_remove.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_attribute_value_remove.instigator.executable.path |
principal.process.file.full_path |
|
event.od_attribute_value_remove.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_attribute_value_remove.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_attribute_value_remove.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_attribute_value_remove.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_attribute_value_remove.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_attribute_value_remove.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_attribute_value_remove.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_attribute_value_remove.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_attribute_value_remove.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_attribute_value_remove.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_attribute_value_remove.instigator.codesigning_flags |
additional.fields[od_attribute_value_remove_instigator_codesigning_flags] |
|
event.od_attribute_value_remove.instigator.cdhash |
additional.fields[od_attribute_value_remove_instigator_codesigning_flags] |
|
event.od_attribute_value_remove.instigator.is_platform_binary |
additional.fields[od_attribute_value_remove_instigator_is_platform_binary] |
|
event.od_attribute_value_remove.instigator.is_es_client |
additional.fields[od_attribute_value_remove_instigator_is_es_client] |
|
event.od_attribute_value_remove.instigator.group_id |
additional.fields[od_attribute_value_remove_instigator_group_id] |
|
event.od_attribute_value_remove.instigator.original_ppid |
additional.fields[od_attribute_value_remove_instigator_original_pp] |
|
event.od_attribute_value_remove.instigator.session_id |
additional.fields[od_attribute_value_remove_instigator_session_id] |
|
event.od_attribute_value_remove.attribute_name |
target.resource.resource_subtype |
|
event.od_attribute_value_remove.attribute_value |
target.resource.name |
|
event.od_attribute_value_remove.record_name |
target.user.user_display_name |
|
event.od_attribute_value_remove.db_path |
additional.fields[od_attribute_value_remove_db_path] |
|
event.od_attribute_value_remove.node_name |
additional.fields[od_attribute_value_remove_node_name] |
|
event.od_attribute_value_remove.record_type |
additional.fields[od_attribute_value_remove_record_type] |
|
event.od_attribute_value_remove.error_code |
additional.fields[od_attribute_value_remove_error_code] |
event_type: od_create_group
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_create_group . |
|
metadata.description |
A group has been created using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_CREATION . |
event.od_create_group.instigator.audit_token.euid |
principal.process.euid |
|
event.od_create_group.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_create_group.instigator.audit_token.egid |
principal.process.egid |
|
event.od_create_group.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_create_group.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_create_group.instigator.audit_token.pid |
principal.process.pid |
|
event.od_create_group.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_create_group.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_create_group.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_create_group.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_create_group.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_create_group.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_create_group.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_create_group.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_create_group.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_create_group.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_create_group.instigator.executable.path |
principal.process.file.full_path |
|
event.od_create_group.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_create_group.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_create_group.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_create_group.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_create_group.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_create_group.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_create_group.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_create_group.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_create_group.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_create_group.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_create_group.instigator.signing_id |
additional.fields[od_create_group_instigator_signing_id] |
|
event.od_create_group.instigator.team_id |
additional.fields[od_create_group_instigator_team_id] |
|
event.od_create_group.instigator.ppid |
additional.fields[od_create_group_instigator_ppid] |
|
event.od_create_group.instigator.codesigning_flags |
additional.fields[od_create_group_instigator_codesigning_flags] |
|
event.od_create_group.instigator.cdhash |
additional.fields[od_create_group_instigator_cdhash] |
|
event.od_create_group.instigator.is_platform_binary |
additional.fields[od_create_group_instigator_is_platform_binary] |
|
event.od_create_group.instigator.is_es_client |
additional.fields[od_create_group_instigator_is_es_client] |
|
event.od_create_group.instigator.group_id |
additional.fields[od_create_group_instigator_group_id] |
|
event.od_create_group.instigator.original_ppid |
additional.fields[od_create_group_instigator_original_pp] |
|
event.od_create_group.instigator.session_id |
additional.fields[od_create_group_instigator_session_id] |
|
event.od_create_group.group_name |
target.group.group_display_name |
|
event.od_create_group.instigator_token.euid |
principal.user.userid |
|
od_create_group.db_path |
additional.fields[od_create_group_db_path] |
|
event.od_create_group.node_name |
additional.fields[od_create_group_node_name] |
|
event.od_create_group.error_code |
additional.fields[od_create_group_error_code] |
event_type: od_delete_group
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_delete_group . |
|
metadata.description |
A group has been deleted using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_DELETION . |
event.od_delete_group.instigator.audit_token.euid |
principal.process.euid |
|
event.od_delete_group.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_delete_group.instigator.audit_token.egid |
principal.process.egid |
|
event.od_delete_group.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_delete_group.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_delete_group.instigator.audit_token.pid |
principal.process.pid |
|
event.od_delete_group.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_delete_group.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_delete_group.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_delete_group.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_delete_group.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_delete_group.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_delete_group.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_delete_group.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_delete_group.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_delete_group.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_delete_group.instigator.executable.path |
principal.process.file.full_path |
|
event.od_delete_group.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_delete_group.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_delete_group.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_delete_group.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_delete_group.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_delete_group.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_delete_group.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_delete_group.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_delete_group.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_delete_group.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_delete_group.instigator.signing_id |
additional.fields[od_delete_group_instigator_signing_id] |
|
event.od_delete_group.instigator.team_id |
additional.fields[od_delete_group_instigator_team_id] |
|
event.od_delete_group.instigator.ppid |
additional.fields[od_delete_group_instigator_ppid] |
|
event.od_delete_group.instigator.codesigning_flags |
additional.fields[od_delete_group_instigator_codesigning_flags] |
|
event.od_delete_group.instigator.cdhash |
additional.fields[od_delete_group_instigator_cdhash] |
|
event.od_delete_group.instigator.is_platform_binary |
additional.fields[od_delete_group_instigator_is_platform_binary] |
|
event.od_delete_group.instigator.is_es_client |
additional.fields[od_delete_group_instigator_is_es_client] |
|
event.od_delete_group.instigator.group_id |
additional.fields[od_delete_group_instigator_group_id] |
|
event.od_delete_group.instigator.original_ppid |
additional.fields[od_delete_group_instigator_original_pp] |
|
event.od_delete_group.instigator.session_id |
additional.fields[od_delete_group_instigator_session_id] |
|
event.od_delete_group.group_name |
target.group.group_display_name |
|
event.od_delete_group.instigator_token.euid |
principal.user.userid |
|
od_delete_group.db_path |
additional.fields[od_delete_group_db_path] |
|
event.od_delete_group.node_name |
additional.fields[od_delete_group_node_name] |
|
event.od_delete_group.error_code |
additional.fields[od_delete_group_error_code] |
event_type: od_create_user
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_create_user . |
|
metadata.description |
A user has been created using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_CREATION . |
event.od_create_user.instigator.audit_token.euid |
principal.process.euid |
|
event.od_create_user.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_create_user.instigator.audit_token.egid |
principal.process.egid |
|
event.od_create_user.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_create_user.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_create_user.instigator.audit_token.pid |
principal.process.pid |
|
event.od_create_user.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_create_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_create_user.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_create_user.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_create_user.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_create_user.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_create_user.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_create_user.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_create_user.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_create_user.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_create_user.instigator.executable.path |
principal.process.file.full_path |
|
event.od_create_user.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_create_user.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_create_user.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_create_user.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_create_user.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_create_user.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_create_user.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_create_user.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_create_user.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_create_user.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_create_user.instigator.signing_id |
additional.fields[od_create_user_instigator_signing_id] |
|
event.od_create_user.instigator.team_id |
additional.fields[od_create_user_instigator_team_id] |
|
event.od_create_user.instigator.ppid |
additional.fields[od_create_user_instigator_ppid] |
|
event.od_create_user.instigator.codesigning_flags |
additional.fields[od_create_user_instigator_codesigning_flags] |
|
event.od_create_user.instigator.cdhash |
additional.fields[od_create_user_instigator_cdhash] |
|
event.od_create_user.instigator.is_platform_binary |
additional.fields[od_create_user_instigator_is_platform_binary] |
|
event.od_create_user.instigator.is_es_client |
additional.fields[od_create_user_instigator_is_es_client] |
|
event.od_create_user.instigator.group_id |
additional.fields[od_create_user_instigator_group_id] |
|
event.od_create_user.instigator.original_ppid |
additional.fields[od_create_user_instigator_original_pp] |
|
event.od_create_user.instigator.session_id |
additional.fields[od_create_user_instigator_session_id] |
|
event.od_create_user.user_name |
target.user.userid |
|
event.od_create_user.instigator_token.euid |
principal.user.userid |
|
event.od_create_user.db_path |
additional.fields[od_create_user_db_path] |
|
event.od_create_user.node_name |
additional.fields[od_create_user_node_name] |
|
event.od_create_user.error_code |
additional.fields[od_create_user_error_code] |
event_type: od_delete_user
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_delete_user . |
|
metadata.description |
A user has been deleted using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_DELETION . |
event.od_delete_user.instigator.audit_token.euid |
principal.process.euid |
|
event.od_delete_user.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_delete_user.instigator.audit_token.egid |
principal.process.egid |
|
event.od_delete_user.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_delete_user.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_delete_user.instigator.audit_token.pid |
principal.process.pid |
|
event.od_delete_user.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_delete_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_delete_user.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_delete_user.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_delete_user.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_delete_user.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_delete_user.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_delete_user.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_delete_user.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_delete_user.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_delete_user.instigator.executable.path |
principal.process.file.full_path |
|
event.od_delete_user.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_delete_user.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_delete_user.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_delete_user.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_delete_user.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_delete_user.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_delete_user.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_delete_user.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_delete_user.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_delete_user.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_delete_user.instigator.signing_id |
additional.fields[od_delete_user_instigator_signing_id] |
|
event.od_delete_user.instigator.team_id |
additional.fields[od_delete_user_instigator_team_id] |
|
event.od_delete_user.instigator.ppid |
additional.fields[od_delete_user_instigator_ppid] |
|
event.od_delete_user.instigator.codesigning_flags |
additional.fields[od_delete_user_instigator_codesigning_flags] |
|
event.od_delete_user.instigator.cdhash |
additional.fields[od_delete_user_instigator_cdhash] |
|
event.od_delete_user.instigator.is_platform_binary |
additional.fields[od_delete_user_instigator_is_platform_binary] |
|
event.od_delete_user.instigator.is_es_client |
additional.fields[od_delete_user_instigator_is_es_client] |
|
event.od_delete_user.instigator.group_id |
additional.fields[od_delete_user_instigator_group_id] |
|
event.od_delete_user.instigator.original_ppid |
additional.fields[od_delete_user_instigator_original_pp] |
|
event.od_delete_user.instigator.session_id |
additional.fields[od_delete_user_instigator_session_id] |
|
event.od_delete_user.user_name |
target.user.userid |
|
event.od_delete_user.instigator_token.euid |
principal.user.userid |
|
event.od_delete_user.db_path |
additional.fields[od_delete_user_db_path] |
|
event.od_delete_user.node_name |
additional.fields[od_delete_user_node_name] |
|
event.od_delete_user.error_code |
additional.fields[od_delete_user_error_code] |
|
event.od_disable_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
event_type: od_disable_user
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_disable_user . |
|
metadata.description |
A user has been disabled using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_UNCATEGORIZED . |
event.od_disable_user.instigator.audit_token.euid |
principal.process.euid |
|
event.od_disable_user.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_disable_user.instigator.audit_token.egid |
principal.process.egid |
|
event.od_disable_user.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_disable_user.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_disable_user.instigator.audit_token.pid |
principal.process.pid |
|
event.od_disable_user.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_disable_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_disable_user.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_disable_user.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_disable_user.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_disable_user.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_disable_user.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_disable_user.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_disable_user.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_disable_user.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_disable_user.instigator.executable.path |
principal.process.file.full_path |
|
event.od_disable_user.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_disable_user.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_disable_user.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_disable_user.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_disable_user.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_disable_user.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_disable_user.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_disable_user.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_disable_user.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_disable_user.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_disable_user.instigator.codesigning_flags |
additional.fields[od_disable_user_instigator_codesigning_flags] |
|
event.od_disable_user.instigator.cdhash |
additional.fields[od_disable_user_instigator_codesigning_flags] |
|
event.od_disable_user.instigator.is_platform_binary |
additional.fields[od_disable_user_instigator_is_platform_binary] |
|
event.od_disable_user.instigator.is_es_client |
additional.fields[od_disable_user_instigator_is_es_client] |
|
event.od_disable_user.instigator.group_id |
additional.fields[od_disable_user_instigator_group_id] |
|
event.od_disable_user.instigator.original_ppid |
additional.fields[od_disable_user_instigator_original_pp] |
|
event.od_disable_user.instigator.session_id |
additional.fields[od_disable_user_instigator_session_id] |
|
event.od_disable_user.user_name |
target.user.user_display_name |
|
event.od_disable_user.instigator_token.euid |
principal.user.userid |
|
event.od_disable_user.db_path |
additional.fields[od_disable_user_db_path] |
|
event.od_disable_user.node_name |
additional.fields[od_disable_user_node_name] |
|
event.od_disable_user.error_code |
additional.fields[od_disable_user_error_code] |
event_type: od_enable_user
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_enable_user . |
|
metadata.description |
A user has been enabled using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_UNCATEGORIZED . |
event.od_enable_user.instigator.audit_token.euid |
principal.process.euid |
|
event.od_enable_user.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_enable_user.instigator.audit_token.egid |
principal.process.egid |
|
event.od_enable_user.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_enable_user.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_enable_user.instigator.audit_token.pid |
principal.process.pid |
|
event.od_enable_user.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_enable_user.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_enable_user.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_enable_user.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_enable_user.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_enable_user.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_enable_user.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_enable_user.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_enable_user.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_enable_user.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_enable_user.instigator.executable.path |
principal.process.file.full_path |
|
event.od_enable_user.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_enable_user.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_enable_user.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_enable_user.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_enable_user.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_enable_user.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_enable_user.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_enable_user.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_enable_user.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_enable_user.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_enable_user.instigator.signing_id |
additional.fields[od_enable_user_instigator_signing_id] |
|
event.od_enable_user.instigator.team_id |
additional.fields[od_enable_user_instigator_team_id] |
|
event.od_enable_user.instigator.ppid |
additional.fields[od_enable_user_instigator_ppid] |
|
event.od_enable_user.instigator.codesigning_flags |
additional.fields[od_enable_user_instigator_codesigning_flags] |
|
event.od_enable_user.instigator.cdhash |
additional.fields[od_enable_user_instigator_cdhash] |
|
event.od_enable_user.instigator.is_platform_binary |
additional.fields[od_enable_user_instigator_is_platform_binary] |
|
event.od_enable_user.instigator.is_es_client |
additional.fields[od_enable_user_instigator_is_es_client] |
|
event.od_enable_user.instigator.group_id |
additional.fields[od_enable_user_instigator_group_id] |
|
event.od_enable_user.instigator.original_ppid |
additional.fields[od_enable_user_instigator_original_pp] |
|
event.od_enable_user.instigator.session_id |
additional.fields[od_enable_user_instigator_session_id] |
|
event.od_enable_user.user_name |
target.user.user_display_name |
|
event.od_enable_user.instigator_token.euid |
principal.user.userid |
|
event.od_enable_user.db_path |
additional.fields[od_enable_user_db_path] |
|
event.od_enable_user.node_name |
additional.fields[od_enable_user_node_name] |
|
event.od_enable_user.error_code |
additional.fields[od_enable_user_error_code] |
event_type: od_group_add
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_group_add . |
|
metadata.description |
A member has been added to a group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_MODIFICATION . |
event.od_group_add.instigator.audit_token.euid |
principal.process.euid |
|
event.od_group_add.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_group_add.instigator.audit_token.egid |
principal.process.egid |
|
event.od_group_add.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_group_add.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_group_add.instigator.audit_token.pid |
principal.process.pid |
|
event.od_group_add.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_group_add.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_group_add.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_group_add.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_group_add.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_group_add.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_group_add.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_group_add.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_group_add.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_group_add.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_group_add.instigator.executable.path |
principal.process.file.full_path |
|
event.od_group_add.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_group_add.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_group_add.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_group_add.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_group_add.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_group_add.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_group_add.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_group_add.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_group_add.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_group_add.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_group_add.instigator.signing_id |
additional.fields[od_group_add_instigator_signing_id] |
|
event.od_group_add.instigator.team_id |
additional.fields[od_group_add_instigator_team_id] |
|
event.od_group_add.instigator.ppid |
additional.fields[od_group_add_instigator_ppid] |
|
event.od_group_add.instigator.codesigning_flags |
additional.fields[od_group_add_instigator_codesigning_flags] |
|
event.od_group_add.instigator.cdhash |
additional.fields[od_group_add_instigator_cdhash] |
|
event.od_group_add.instigator.is_platform_binary |
additional.fields[od_group_add_instigator_is_platform_binary] |
|
event.od_group_add.instigator.is_es_client |
additional.fields[od_group_add_instigator_is_es_client] |
|
event.od_group_add.instigator.group_id |
additional.fields[od_group_add_instigator_group_id] |
|
event.od_group_add.instigator.original_ppid |
additional.fields[od_group_add_instigator_original_pp] |
|
event.od_group_add.instigator.session_id |
additional.fields[od_group_add_instigator_session_id] |
|
event.od_group_add.group_name |
target.group.group_display_name |
|
event.od_group_add.member.member_value |
target.user.user_display_name |
|
event.od_group_add.instigator_token.euid |
principal.user.userid |
|
event.od_group_add.db_path |
additional.fields[od_group_add_db_path] |
|
event.od_group_add.node_name |
additional.fields[od_group_add_node_name] |
|
event.od_group_add.error_code |
additional.fields[od_group_add_error_code] |
event_type: od_group_remove
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_group_remove . |
|
metadata.description |
A member has been removed from a group using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_MODIFICATION . |
event.od_group_remove.instigator.audit_token.euid |
principal.process.euid |
|
event.od_group_remove.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_group_remove.instigator.audit_token.egid |
principal.process.egid |
|
event.od_group_remove.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_group_remove.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_group_remove.instigator.audit_token.pid |
principal.process.pid |
|
event.od_group_remove.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_group_remove.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_group_remove.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_group_remove.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_group_remove.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_group_remove.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_group_remove.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_group_remove.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_group_remove.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_group_remove.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_group_remove.instigator.executable.path |
principal.process.file.full_path |
|
event.od_group_remove.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_group_remove.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_group_remove.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_group_remove.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_group_remove.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_group_remove.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_group_remove.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_group_remove.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_group_remove.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_group_remove.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_group_remove.instigator.signing_id |
additional.fields[od_group_remove_instigator_signing_id] |
|
event.od_group_remove.instigator.team_id |
additional.fields[od_group_remove_instigator_team_id] |
|
event.od_group_remove.instigator.ppid |
additional.fields[od_group_remove_instigator_ppid] |
|
event.od_group_remove.instigator.codesigning_flags |
additional.fields[od_group_remove_instigator_codesigning_flags] |
|
event.od_group_remove.instigator.cdhash |
additional.fields[od_group_remove_instigator_cdhash] |
|
event.od_group_remove.instigator.is_platform_binary |
additional.fields[od_group_remove_instigator_is_platform_binary] |
|
event.od_group_remove.instigator.is_es_client |
additional.fields[od_group_remove_instigator_is_es_client] |
|
event.od_group_remove.instigator.group_id |
additional.fields[od_group_remove_instigator_group_id] |
|
event.od_group_remove.instigator.original_ppid |
additional.fields[od_group_remove_instigator_original_pp] |
|
event.od_group_remove.instigator.session_id |
additional.fields[od_group_remove_instigator_session_id] |
|
event.od_group_remove.group_name |
target.group.group_display_name |
|
event.od_group_remove.member.member_value |
target.user.user_display_name |
|
event.od_group_remove.instigator_token.euid |
principal.user.userid |
|
event.od_group_remove.db_path |
additional.fields[od_group_remove_db_path] |
|
event.od_group_remove.node_name |
additional.fields[od_group_remove_node_name] |
|
event.od_group_remove.error_code |
additional.fields[od_group_remove_error_code] |
event_type: od_group_set
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_group_set . |
|
metadata.description |
A group has a member initialized or replaced using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to GROUP_MODIFICATION . |
event.od_group_set.instigator.audit_token.euid |
principal.process.euid |
|
event.od_group_set.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_group_set.instigator.audit_token.egid |
principal.process.egid |
|
event.od_group_set.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_group_set.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_group_set.instigator.audit_token.pid |
principal.process.pid |
|
event.od_group_set.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_group_set.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_group_set.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_group_set.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_group_set.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_group_set.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_group_set.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_group_set.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_group_set.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_group_set.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_group_set.instigator.executable.path |
principal.process.file.full_path |
|
event.od_group_set.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_group_set.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_group_set.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_group_set.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_group_set.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_group_set.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_group_set.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_group_set.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_group_set.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_group_set.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_group_set.instigator.signing_id |
additional.fields[od_group_set_instigator_signing_id] |
|
event.od_group_set.instigator.team_id |
additional.fields[od_group_set_instigator_team_id] |
|
event.od_group_set.instigator.ppid |
additional.fields[od_group_set_instigator_ppid] |
|
event.od_group_set.instigator.codesigning_flags |
additional.fields[od_group_set_instigator_codesigning_flags] |
|
event.od_group_set.instigator.cdhash |
additional.fields[od_group_set_instigator_cdhash] |
|
event.od_group_set.instigator.is_platform_binary |
additional.fields[od_group_set_instigator_is_platform_binary] |
|
event.od_group_set.instigator.is_es_client |
additional.fields[od_group_set_instigator_is_es_client] |
|
event.od_group_set.instigator.group_id |
additional.fields[od_group_set_instigator_group_id] |
|
event.od_group_set.instigator.original_ppid |
additional.fields[od_group_set_instigator_original_pp] |
|
event.od_group_set.instigator.session_id |
additional.fields[od_group_set_instigator_session_id] |
|
event.od_group_set.group_name |
target.group.group_display_name |
|
event.od_group_set.member.member_array |
target.user.user_display_name |
|
event.od_group_set.instigator_token.euid |
principal.user.userid |
|
event.od_group_set.db_path |
additional.fields[od_group_set_db_path] |
|
event.od_group_set.node_name |
additional.fields[od_group_set_node_name] |
|
event.od_group_set.error_code |
additional.fields[od_group_set_error_code] |
event_type: od_modify_password
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to od_modify_password . |
|
metadata.description |
A group has a member initialized or replaced using Open Directory. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_CHANGE_PASSWORD . |
event.od_modify_password.instigator.audit_token.euid |
principal.process.euid |
|
event.od_modify_password.instigator.audit_token.ruid |
principal.process.ruid |
|
event.od_modify_password.instigator.audit_token.egid |
principal.process.egid |
|
event.od_modify_password.instigator.audit_token.rgid |
principal.process.rgid |
|
event.od_modify_password.instigator.audit_token.pgid |
principal.process.pgid |
|
event.od_modify_password.instigator.audit_token.pid |
principal.process.pid |
|
event.od_modify_password.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.od_modify_password.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.od_modify_password.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.od_modify_password.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.od_modify_password.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.od_modify_password.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.od_modify_password.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.od_modify_password.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.od_modify_password.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.od_modify_password.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.od_modify_password.instigator.executable.path |
principal.process.file.full_path |
|
event.od_modify_password.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.od_modify_password.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.od_modify_password.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.od_modify_password.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.od_modify_password.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.od_modify_password.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.od_modify_password.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.od_modify_password.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.od_modify_password.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.od_modify_password.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.od_modify_password.instigator.signing_id |
additional.fields[od_modify_password_instigator_signing_id] |
|
event.od_modify_password.instigator.team_id |
additional.fields[od_modify_password_instigator_team_id] |
|
event.od_modify_password.instigator.ppid |
additional.fields[od_modify_password_instigator_ppid] |
|
event.od_modify_password.instigator.codesigning_flags |
additional.fields[od_modify_password_instigator_codesigning_flags] |
|
event.od_modify_password.instigator.cdhash |
additional.fields[od_modify_password_instigator_cdhash] |
|
event.od_modify_password.instigator.is_platform_binary |
additional.fields[od_modify_password_instigator_is_platform_binary] |
|
event.od_modify_password.instigator.is_es_client |
additional.fields[od_modify_password_instigator_is_es_client] |
|
event.od_modify_password.instigator.group_id |
additional.fields[od_modify_password_instigator_group_id] |
|
event.od_modify_password.instigator.original_ppid |
additional.fields[od_modify_password_instigator_original_pp] |
|
event.od_modify_password.instigator.session_id |
additional.fields[od_modify_password_instigator_session_id] |
|
event.od_modify_password.account_name |
target.user.user_display_name |
|
event.od_modify_password.instigator_token.euid |
principal.user.userid |
|
event.od_modify_password.db_path |
additional.fields[od_modify_password_db_path] |
|
event.od_modify_password.node_name |
additional.fields[od_modify_password_node_name] |
|
event.od_modify_password.error_code |
additional.fields[od_modify_password_error_code] |
event_type: openssh_login
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to openssh_login . |
|
metadata.description |
A user has logged into the system via OpenSSH. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
|
network.application_protocol |
The network.application_protocol UDM field is set to SSH . |
event.openssh_login.source_address |
src.ip |
|
event.openssh_login.uid |
target.user.userid |
|
openssh_login.username |
target.user.user_display_name |
|
|
extensions.auth.mechanism |
The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE . |
event.openssh_login.success |
security_result.category |
If the event.openssh_login.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION . |
event_type: openssh_logout
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to openssh_logout . |
|
metadata.description |
A user has logged out of an OpenSSH session. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGOUT . |
|
network.application_protocol |
The network.application_protocol UDM field is set to SSH . |
event.openssh_logout.source_address |
src.ip |
|
event.openssh_logout.uid |
target.user.userid |
|
openssh_logout.username |
target.user.user_display_name |
|
|
extensions.auth.mechanism |
The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE . |
event_type: profile_add
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to openssh_logout . |
|
metadata.description |
A configuration profile is installed on the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to SETTING_CREATION . |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to SETTING . |
event.profile_add.instigator.audit_token.euid |
principal.process.euid |
|
event.profile_add.instigator.audit_token.ruid |
principal.process.ruid |
|
event.profile_add.instigator.audit_token.egid |
principal.process.egid |
|
event.profile_add.instigator.audit_token.rgid |
principal.process.rgid |
|
event.profile_add.instigator.audit_token.pgid |
principal.process.pgid |
|
event.profile_add.instigator.audit_token.pid |
principal.process.pid |
|
event.profile_add.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.profile_add.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.profile_add.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.profile_add.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.profile_add.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.profile_add.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.profile_add.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.profile_add.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.profile_add.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.profile_add.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.profile_add.instigator.executable.path |
principal.process.file.full_path |
|
event.profile_add.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.profile_add.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.profile_add.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.profile_add.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.profile_add.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.profile_add.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.profile_add.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.profile_add.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.profile_add.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.profile_add.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.profile_add.instigator.signing_id |
additional.fields[profile_add_instigator_signing_id] |
|
event.profile_add.instigator.team_id |
additional.fields[profile_add_instigator_team_id] |
|
event.profile_add.instigator.ppid |
additional.fields[profile_add_instigator_ppid] |
|
event.profile_add.instigator.codesigning_flags |
additional.fields[profile_add_instigator_codesigning_flags] |
|
event.profile_add.instigator.cdhash |
additional.fields[profile_add_instigator_cdhash] |
|
event.profile_add.instigator.is_platform_binary |
additional.fields[profile_add_instigator_is_platform_binary] |
|
event.profile_add.instigator.is_es_client |
additional.fields[profile_add_instigator_is_es_client] |
|
event.profile_add.instigator.group_id |
additional.fields[profile_add_instigator_group_id] |
|
event.profile_add.instigator.original_ppid |
additional.fields[profile_add_instigator_original_pp] |
|
event.profile_add.instigator.session_id |
additional.fields[profile_add_instigator_session_id] |
|
event.profile_add.profile.scope |
target.resource.resource_subtype |
|
event.profile_add.profile.uuid |
target.resource.product_object_id |
|
event.profile_add.profile.display_name |
target.resource.name |
|
event.profile_add.is_update |
additional.fields[profile_add_is_update] |
|
event.profile_add.profile.identifier |
additional.fields[profile_add_profile_identifier] |
|
event.profile_add.profile.install_source |
additional.fields[profile_add_profile_install_source] |
|
event.profile_add.profile.organization |
additional.fields[profile_add_profile_organization] |
event_type: profile_remove
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to openssh_logout . |
|
metadata.description |
A configuration profile is removed from the system. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to SETTING_DELETION . |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to SETTING . |
event.profile_remove.instigator.audit_token.euid |
principal.process.euid |
|
event.profile_remove.instigator.audit_token.ruid |
principal.process.ruid |
|
event.profile_remove.instigator.audit_token.egid |
principal.process.egid |
|
event.profile_remove.instigator.audit_token.rgid |
principal.process.rgid |
|
event.profile_remove.instigator.audit_token.pgid |
principal.process.pgid |
|
event.profile_remove.instigator.audit_token.pid |
principal.process.pid |
|
event.profile_remove.instigator.audit_token.uuid |
principal.process.product_specific_process_id |
|
event.profile_remove.instigator.audit_token.signing_id |
principal.process.file.signature_info.codesign.id |
|
event.profile_remove.instigator.parent_audit_token.euid |
principal.process.parent_process.euid |
|
event.profile_remove.instigator.parent_audit_token.ruid |
principal.process.parent_process.ruid |
|
event.profile_remove.instigator.parent_audit_token.egid |
principal.process.parent_process.egid |
|
event.profile_remove.instigator.parent_audit_token.rgid |
principal.process.parent_process.rgid |
|
event.profile_remove.instigator.parent_audit_token.pgid |
principal.process.parent_process.pgid |
|
event.profile_remove.instigator.parent_audit_token.pid |
principal.process.parent_process.pid |
|
event.profile_remove.instigator.parent_audit_token.uuid |
principal.process.parent_process.product_specific_process_id |
|
event.profile_remove.instigator.parent_audit_token.signing_id |
principal.process.parent_process.file.signature_info.codesign.id |
|
event.profile_remove.instigator.executable.path |
principal.process.file.full_path |
|
event.profile_remove.instigator.executable.stat.st_dev |
principal.process.file.stat_dev |
|
event.profile_remove.instigator.executable.stat.st_flags |
principal.process.file.stat_flags |
|
event.profile_remove.instigator.executable.stat.st_ino |
principal.process.file.stat_inode |
|
event.profile_remove.instigator.executable.stat.st_mode |
principal.process.file.stat_mode |
|
event.profile_remove.instigator.executable.stat.st_mtimespec |
principal.process.file.last_modification_time |
|
event.profile_remove.instigator.executable.stat.st_atimespec |
principal.process.file.last_access_time |
|
event.profile_remove.instigator.executable.stat.st_nlink |
principal.process.file.stat_nlink |
|
event.profile_remove.instigator.executable.stat.st_size |
principal.process.file.size |
|
event.profile_remove.instigator.executable.sha256 |
principal.process.file.sha256 |
|
event.profile_remove.instigator.executable.sha1 |
principal.process.file.sha1 |
|
event.profile_remove.instigator.signing_id |
additional.fields[profile_remove_instigator_signing_id] |
|
event.profile_remove.instigator.team_id |
additional.fields[profile_remove_instigator_team_id] |
|
event.profile_remove.instigator.ppid |
additional.fields[profile_remove_instigator_ppid] |
|
event.profile_remove.instigator.codesigning_flags |
additional.fields[profile_remove_instigator_codesigning_flags] |
|
event.profile_remove.instigator.cdhash |
additional.fields[profile_remove_instigator_cdhash] |
|
event.profile_remove.instigator.is_platform_binary |
additional.fields[profile_remove_instigator_is_platform_binary] |
|
event.profile_remove.instigator.is_es_client |
additional.fields[profile_remove_instigator_is_es_client] |
|
event.profile_remove.instigator.group_id |
additional.fields[profile_remove_instigator_group_id] |
|
event.profile_remove.instigator.original_ppid |
additional.fields[profile_remove_instigator_original_pp] |
|
event.profile_remove.instigator.session_id |
additional.fields[profile_remove_instigator_session_id] |
|
event.profile_remove.profile.scope |
target.resource.resource_subtype |
|
event.profile_remove.profile.uuid |
target.resource.product_object_id |
|
event.profile_remove.profile.display_name |
target.resource.name |
|
event.profile_remove.is_update |
additional.fields[profile_remove_is_update] |
|
event.profile_remove.profile.identifier |
additional.fields[profile_remove_profile_identifier] |
|
event.profile_remove.profile.install_source |
additional.fields[profile_remove_profile_install_source] |
|
event.profile_remove.profile.organization |
additional.fields[profile_remove_profile_organization] |
event_type: sudo
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to sudo . |
|
metadata.description |
A sudo attempt occurred. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.sudo.reject_info.plugin_name |
additional.fields[sudo_reject_info_plugin_name] |
|
event.sudo.reject_info.failure_message |
additional.fields[sudo_reject_info_failure_message] |
|
event.sudo.reject_info.plugin_type |
additional.fields[sudo_reject_info_plugin_type] |
|
event.sudo.from_uid |
principal.user.userid |
|
event.sudo.from_username |
principal.user.user_display_name |
|
event.sudo.command |
target.process.command_line |
|
event.sudo.to_uid |
target.user.userid |
|
event.sudo.to_username |
target.user.user_display_name |
|
event.sudo.success |
security_result.category |
If the event.sudo.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION . |
event_type: system_performance
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to system_performance . |
|
metadata.description |
Event occurs on a regular interval to collect application performance data. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.performance.metrics.hw_model |
additional.fields[performance_metrics_hw_model] |
|
event.performance.page_info.page |
additional.fields[performance_page_info_page] |
|
udm.performance.page_info.total |
additional.fields[performance_page_info_total] |
|
event.performance.metrics.tasks.name |
additional.fields[task_name] |
|
event.performance.metrics.tasks.energy_impact |
additional.fields[task_energy_impact] |
event_type: unmount
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.product_event_type |
The metadata.product_event_type UDM field is set to unmount . |
|
metadata.description |
A file system has been unmounted. value is set to the metadata.description UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
event.unmount.statfs.f_owner |
target.user.userid |
|
event.unmount.device.size |
target.file.size |
|
event.unmount.statfs.f_fstypename |
target.resource.resource_subtype |
|
event.unmount.statfs.f_mntfromname |
target.resource.name |
|
event.unmount.device.protocol |
additional.fields[unmount_device_protocol] |
|
event.unmount.device.serial_number |
target.asset.hardware.serial_number |
If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.serial_number log field is mapped to the target.asset.hardware.serial_number UDM field. |
event.unmount.device.device_model |
target.asset.hardware.model |
If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.device_model log field is mapped to the target.asset.hardware.model UDM field. |
event.unmount.device.vendor_name |
target.asset.hardware.manudacturer |
If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.vendor_name log field is mapped to the target.asset.hardware.manufacturer UDM field. |
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。