收集 Jamf Protect Telemetry V2 記錄

支援的國家/地區:

本文說明如何設定 Google Security Operations 資訊提供,以收集 Jamf Protect Telemetry V2 記錄。這份文件詳細說明如何將 Jamf Protect Telemetry V2 記錄檔欄位對應至 Google SecOps 中的統一資料模型 (UDM) 欄位,並列出支援的 Jamf Protect Telemetry V2 版本。

詳情請參閱「將資料擷取至 Google SecOps」。

一般部署作業包含 Jamf Protect Telemetry V2,以及設定為將記錄傳送至 Google SecOps 的 Google SecOps 資訊提供。每個客戶的部署作業可能有所不同,也可能更複雜。

部署作業包含下列元件:

  • Jamf Protect Telemetry V2。您要從中收集記錄的 Jamf Protect Telemetry V2 平台。

  • Google SecOps 動態消息。Google SecOps 動態消息,可從 Jamf Protect Telemetry 擷取記錄,並將記錄寫入 Google SecOps。

  • Google SecOps。Google SecOps 會保留及分析 Jamf Protect Telemetry V2 的記錄。

每個記錄檔都會使用特定剖析器,標準化為統合式資料模型 (UDM)。本文中的資訊適用於與 JAMF_TELEMETRY_V2 攝取標籤相關聯的剖析器。

事前準備

  • 確認您已設定最新版的 Jamf Protect Telemetry V2
  • 確認您使用的是 Jamf Protect 6.3.2 以上版本。
  • 請確保部署架構中的所有系統都已設定為世界標準時間時區。

在 Google SecOps 中設定資訊提供,擷取 Jamf Protect Telemetry V2 記錄

您可以使用 Amazon S3 或 Webhook 在 Google SecOps 中設定擷取動態饋給,但建議使用 Amazon S3。

使用 Amazon S3 在 Google SecOps 中設定擷取動態饋給

  1. 依序前往「SIEM 設定」>「動態消息」
  2. 按一下 [Add New] (新增)。
  3. 選取「Amazon S3」做為「來源類型」
  4. 選取「Jamf Protect Telemetry V2」做為「記錄類型」,為 Jamf Protect Telemetry V2 建立動態饋給。
  5. 點選「下一步」
  6. 設定下列輸入參數:
    • S3 URI:指向 S3 容器的 URI。
    • URI 是:URI 指出的物件類型。
    • 來源刪除選項:是否要在轉移後刪除檔案或目錄。
    • 選取「存取金鑰」或「私密存取金鑰」:選擇適當的憑證類型。
    • 金鑰/權杖:存取 S3 資源的共用金鑰或 SAS 權杖。
  7. 依序點選「下一步」和「提交」
  8. 從動態饋給名稱複製動態饋給 ID,以便在 Jamf Protect Telemetry V2 中使用。

使用 Webhook 在 Google SecOps 中設定擷取動態饋給

  1. 依序前往「SIEM 設定」>「動態消息」
  2. 按一下「新增」
  3. 在「動態饋給名稱」欄位中,輸入動態饋給名稱。
  4. 在「Source type」(來源類型) 清單中,選取「Webhook」(Webhook)
  5. 選取「Jamf Protect Telemetry V2」做為「記錄類型」,為 Jamf Protect Telemetry V2 建立動態饋給。
  6. 點選「下一步」
  7. 選用:指定下列輸入參數的值:
    • 分割分隔符號:用於分隔記錄行的分隔符號,例如 \n
    • 資產命名空間資產命名空間
    • 擷取標籤:要套用至這個動態饋給事件的標籤。
  8. 點選「下一步」
  9. 在「Finalize」畫面上檢查新的動態饋給設定,然後按一下「Submit」
  10. 按一下「產生密鑰」,產生驗證這個動態消息的密鑰。
  11. 複製並妥善儲存「密鑰」。您無法再次查看這個密鑰。如有需要,您可以重新產生新的密鑰,但這項操作會使先前的密鑰失效。
  12. 在「詳細資料」分頁中,從「端點資訊」欄位複製動態消息端點網址。您需要這個 HTTPS 網址,才能設定 Jamf Protect Telemetry V2 用戶端應用程式。
  13. 按一下 [完成]

為 Webhook 動態饋給建立 API 金鑰

  1. 依序前往 Google Cloud 控制台 >「憑證」

    前往「憑證」

  2. 按一下 [Create credentials] (建立憑證),然後選取 [API key] (API 金鑰)

  3. 將 API 金鑰存取權限制在 Google Security Operations API

為 Webhook 饋給設定 Jamf Protect Telemetry V2

  1. 在 Jamf Protect Telemetry V2 應用程式中,前往相關的「動作設定」
  2. 按一下「建立動作」,新增資料端點。
  3. 選取「HTTP」做為通訊協定。
  4. 在「URL」欄位中,輸入 Google Security Operations API 端點的 HTTPS 網址。(這是您從 Webhook 摘要設定複製的「端點資訊」欄位。(已經是所需格式)。
  5. 指定 API 金鑰密鑰,以啟用驗證,格式如下:

    X-goog-api-key = API_KEY
    X-Webhook-Access-Key = SECRET
    

    建議:請將 API 金鑰指定為標頭,而非在網址中指定。如果 Webhook 用戶端不支援自訂標頭,您可以使用查詢參數指定 API 金鑰密鑰,格式如下:

    ENDPOINT_URL?key=API_KEY&secret=SECRET
    

    更改下列內容:

    • ENDPOINT_URL:動態消息端點網址。
    • API_KEY:用於向 Google Security Operations 進行驗證的 API 金鑰。
    • SECRET:您產生的密鑰,用於驗證動態饋給。
  6. 在「收集記錄」部分中,選取「遙測」

  7. 按一下「提交」

如要進一步瞭解 Google SecOps 動態消息,請參閱 Google SecOps 動態消息說明文件。如要瞭解各動態饋給類型的規定,請參閱「依類型設定動態饋給」。

如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。

欄位對應參考資料

本節說明 Google SecOps 剖析器如何將 Jamf Protect Telemetry V2 欄位對應至 Google SecOps 統一資料模型 (UDM) 欄位。

欄位對應參照:事件 ID 對應至事件類型

下表列出 JAMF_TELEMETRY_V2 記錄類型及其對應的 UDM 事件類型。

Event Identifier Event Type
authentication USER_LOGIN
bios_uefi STATUS_UPDATE
btm_launch_item_add PROCESS_LAUNCH
btm_launch_item_remove PROCESS_TERMINATION
chroot FILE_MODIFICATION
cs_invalidated STATUS_UPDATE
exec PROCESS_LAUNCH
file_collection STATUS_UPDATE
gatekeeper_user_override STATUS_UPDATE
kextload STATUS_UPDATE
kextunload STATUS_UPDATE
log_collection STATUS_UPDATE
login_login USER_LOGIN
login_logout USER_LOGOUT
lw_session_lock USER_LOGOUT
lw_session_login USER_LOGIN
lw_session_logout USER_LOGOUT
lw_session_unlock USER_LOGIN
mount STATUS_UPDATE
od_attribute_set USER_RESOURCE_UPDATE_CONTENT
od_attribute_value_add STATUS_UPDATE
od_attribute_value_remove USER_RESOURCE_DELETION
od_create_group GROUP_CREATION
od_create_user USER_CREATION
od_delete_group GROUP_DELETION
od_delete_user USER_DELETION
od_disable_user USER_UNCATEGORIZED
od_enable_user USER_UNCATEGORIZED
od_group_add GROUP_MODIFICATION
od_group_remove GROUP_MODIFICATION
od_group_set GROUP_MODIFICATION
od_modify_password USER_CHANGE_PASSWORD
openssh_login USER_LOGIN
openssh_logout USER_LOGOUT
sudo STATUS_UPDATE
system_performance STATUS_UPDATE
unmount STATUS_UPDATE
profile_add SETTING_CREATION
profile_remove SETTING_DELETION
remount RESOURCE_CREATION
screensharing_attach USER_LOGIN
screensharing_detach USER_LOGOUT
settime STATUS_UPDATE
su USER_LOGIN
xp_malware_detected SCAN_FILE
xp_malware_remediated SCAN_FILE

欄位對應參考資料:JAMF_TELEMETRY_V2 - Common Fields

下表列出 JAMF_TELEMETRY_V2 記錄類型常見的欄位,以及對應的 UDM 欄位。

Log field UDM mapping Logic
action.result.result.auth security_result.action If the **event_type** log field value is < `8000`, and not equal to `113` or `112`, and the **action.result.result.auth** field is equal to **1**, then set `security_result.action` to **BLOCK**. Else, set `security_result.action` to **ALLOW**
principal.platform The principal.platform UDM field is set to MAC.
uuid metadata.product_log_id
time metadata.event_timestamp
metadata.product metadata.product_name
host.protectVersion metadata.product_version
metadata.vendor metadata.vendor_name
host.hostname principal.asset.hostname
host.os principal.platform_version
host.provisioningUDID principal.asset_id
host.serial principal.asset.hardware.serial_number
host.ips principal.ip Iterate through log field host.ips, then
host.ips log field is mapped to the principal.ip UDM field.
event_type additional.fields[event_type]
global_seq_num additional.fields[global_seq_num]
process.executable.path src.process.file.full_path
process.executable.stat.st_dev src.process.file.stat_dev
process.executable.stat.st_flags src.process.file.stat_flags
process.executable.stat.st_ino src.process.file.stat_inode
process.executable.stat.st_mode src.process.file.stat_mode
process.executable.stat.st_mtimespec src.process.file.last_modification_time
process.executable.stat.st_atimespec src.process.file.last_access_time
process.executable.stat.st_nlink src.process.file.stat_nlink
process.executable.stat.st_size src.process.file.size
process.executable.sha256 src.process.file.sha256
process.executable.sha1 src.process.file.sha1
process.signing_id src.process.file.signature_info.codesign.id
process.team_id additional.fields[process_team_id]
process.ppid additional.fields[process_ppid]
process.codesigning_flags additional.fields[process_codesigning_flags]
process.cdhash additional.fields[process_cdhash]
process.is_platform_binary additional.fields[process_is_platform_binary]
process.is_es_client additional.fields[process_is_es_client]
process.group_id additional.fields[process_group_id]
process.original_ppid additional.fields[process_original_ppid]
process.session_id additional.fields[process_session_id]
thread.uuid additional.fields[thread_uuid]
thread.thread_id additional.fields[thread_id]
seq_num additional.fields[seq_num]
mach_time additional.fields[mach_time]
version additional.fields[version]
process.audit_token.euid src.process.euid
process.audit_token.ruid src.process.ruid
process.audit_token.egid src.process.egid
process.audit_token.rgid src.process.rgid
process.audit_token.pgid src.process.pgid
process.audit_token.pid src.process.pid
process.audit_token.uuid src.process.product_specific_process_id
process.audit_token.signing_id additional.fields[process_audit_token_signing_id]
process.parent_audit_token.euid src.process.parent_process.euid
process.parent_audit_token.ruid src.process.parent_process.ruid
process.parent_audit_token.egid src.process.parent_process.egid
process.parent_audit_token.rgid src.process.parent_process.rgid
process.parent_audit_token.pgid src.process.parent_process.pgid
process.parent_audit_token.pid src.process.parent_process.pid
process.parent_audit_token.uuid src.process.parent_process.product_specific_process_id
process.parent_audit_token.signing_id src.process.parent_process.file.signature_info.codesign.id

欄位對應參考資料:依據「event_type」將原始記錄欄位對應至 UDM 欄位。

event_type: remount

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to remount.
metadata.description A file system has been remounted. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to RESOURCE_CREATION.
principal.user.userid The principal.user.userid UDM field is set to null.
event.remount.statfs.f_owner target.user.userid
event.remount.device.size target.file.size
event.remount.statfs.f_fstypename target.resource.resource_subtype
event.remount.statfs.f_mntfromname src.resource.name
event.remount.statfs.f_mntonname target.resource.name

event_type: screensharing_attach

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to screensharing_attach.
metadata.description A screen sharing session has attached to a graphical session. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
event.screensharing_attach.source_address src.ip
event.screensharing_attach.authentication_username target.user.user_display_name
event.screensharing_attach.session_username principal.user.user_display_name
event.screensharing_attach.viewer_appleid additional.fields[screensharing_attach.viewer_appleid]
extensions.auth.mechanism The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.
security_result.category If the event.screensharing_attach.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION.

event_type: su

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to su.
metadata.description A user attempts to start a new shell using a substitute user identity. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
extensions.auth.type The extensions.auth.type UDM field is set to MACHINE.
event.su.argv target.process.command_line If the event.su.argc log field value is not equal to 0 then,
iterate through log field event.su.argv, then event.su.argv log field is mapped to the target.process.command_line UDM field.
event.su.to_uid target.user.userid
event.su.to_username target.user.user_display_name
event.su.from_uid principal.user.userid
event.su.from_username principal.user.user_display_name

event_type: settime

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to settime.
metadata.description The system time was attempted to be set. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.

event_type: screensharing_detach

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to screensharing_detach.
metadata.description A screen sharing session has detached from a graphical session. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGOUT.
target.user.user_display_name The target.user.user_display_name UDM field is set to null.
event.screensharing_detach.source_address src.ip
extensions.auth.mechanism The extensions.auth.mechanism UDM field is set to mechanism.

event_type: xp_malware_remediated

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to xp_malware_remediated.
metadata.description Apple's XProtect remediated malware on the system. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to SCAN_FILE.
action.result.result.auth security_result.action
event.xp_malware_remediated.remediated_path target.file.full_path
event.xp_malware_remediated.action_type additional.fields[xp_malware_remediated.action_type]
event.xp_malware_remediated.success additional.fields[xp_malware_remediated.success]
event.xp_malware_remediated.incident_identifier security_result.threat_id
event.xp_malware_remediated.malware_identifier security_result.threat_name
event.xp_malware_remediated.signature_version security_result.rule_id

event_type: xp_malware_detected

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to xp_malware_detected.
metadata.description Apple's XProtect detected malware on the system. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to SCAN_FILE.
action.result.result.auth security_result.action
event.xp_malware_detected.detected_path target.file.full_path
event.xp_malware_detected.incident_identifier security_result.threat_id
event.xp_malware_detected.malware_identifier security_result.threat_name

event_type: authentication

Log field UDM mapping Logic
Check additional fields in conf
metadata.product_event_type The metadata.product_event_type UDM field is set to authentication.
metadata.description A user authentication has occurred. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
event.authentication.data.od.instigator.audit_token.pid principal.process.pid
event.authentication.data.od.instigator.audit_token.uuid principal.process.product_specific_process_id JamfProtect:%{event.authentication.data.od.instigator.audit_token.uuid} log field is mapped to the principal.process.product_specific_process_id UDM field.
event.authentication.data.od.instigator.audit_token.euid principal.process.euid
event.authentication.data.od.instigator.audit_token.ruid principal.process.ruid
event.authentication.data.od.instigator.audit_token.rgid principal.process.rgid
event.authentication.data.od.instigator.audit_token.pgid principal.process.pgid
event.authentication.data.od.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.authentication.data.od.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.authentication.data.od.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.authentication.data.od.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.authentication.data.od.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.authentication.data.od.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.authentication.data.od.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.authentication.data.od.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id JamfProtect:%{event.authentication.data.od.instigator.parent_audit_token.uuid} log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field.
event.authentication.data.od.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.authentication.data.od.instigator.executable.path principal.process.file.full_path
event.authentication.data.od.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.authentication.data.od.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.authentication.data.od.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.authentication.data.od.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.authentication.data.od.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.authentication.data.od.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.authentication.data.od.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.authentication.data.od.instigator.executable.stat.st_size principal.process.file.size
event.authentication.data.od.instigator.executable.sha256 principal.process.file.sha256
event.authentication.data.od.instigator.executable.sha1 principal.process.file.sha1
event.authentication.data.od.instigator.signing_id additional.fields[authentication_data_od_instigator_signing_id]
event.authentication.data.od.instigator.team_id additional.fields[authentication_data_od_instigator_team_id]
event.authentication.data.od.instigator.ppid rincipal.process.parent_process.pid
event.authentication.data.od.instigator.codesigning_flags additional.fields[codesigning_flags]
event.authentication.data.od.instigator.cdhash additional.fields[cdhash]
event.authentication.data.od.instigator.is_platform_binary additional.fields[is_platform_binary]
event.authentication.data.od.instigator.is_es_client additional.fields[is_es_client]
event.authentication.data.od.instigator.group_id additional.fields[group_id]
event.authentication.data.od.instigator.original_ppid additional.fields[original_ppid]
event.authentication.data.od.instigator.session_id additional.fields[session_id]
event.authentication.data.touchid.instigator.audit_token.euid principal.process.euid
event.authentication.data.touchid.instigator.audit_token.ruid principal.process.ruid
event.authentication.data.touchid.instigator.audit_token.egid principal.process.egid
event.authentication.data.touchid.instigator.audit_token.rgid principal.process.rgid
event.authentication.data.touchid.instigator.audit_token.pgid principal.process.pgid
event.authentication.data.touchid.instigator.audit_token.pid principal.process.pid
event.authentication.data.touchid.instigator.audit_token.uuid principal.process.product_specific_process_id
event.authentication.data.touchid.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.authentication.data.touchid.instigator.parent_audit_token.euid principal.parent_process.parent_process.euid
event.authentication.data.touchid.instigator.parent_audit_token.ruid principal.parent_process.parent_process.ruid
event.authentication.data.touchid.instigator.parent_audit_token.egid principal.parent_process.parent_process.egid
event.authentication.data.touchid.instigator.parent_audit_token.rgid principal.parent_process.parent_process.rgid
event.authentication.data.touchid.instigator.parent_audit_token.pgid principal.parent_process.parent_process.pgid
event.authentication.data.touchid.instigator.parent_audit_token.pid principal.parent_process.parent_process.pid
event.authentication.data.touchid.instigator.parent_audit_token.uuid principal.parent_process.product_specific_process_id
event.authentication.data.touchid.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.authentication.data.touchid.instigator.executable.path principal.process.file.full_path
event.authentication.data.touchid.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.authentication.data.touchid.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.authentication.data.touchid.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.authentication.data.touchid.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.authentication.data.touchid.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.authentication.data.touchid.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.authentication.data.touchid.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.authentication.data.touchid.instigator.executable.stat.st_size principal.process.file.size
event.authentication.data.touchid.instigator.executable.sha256 principal.process.file.sha256
event.authentication.data.touchid.instigator.executable.sha1 principal.process.file.sha1
event.authentication.data.touchid.instigator.signing_id additional.fields[authentication_data_touch_id_instigator_signing_id]
event.authentication.data.touchid.instigator.team_id additional.fields[authentication_data_touch_id_instigator_team_id]
event.authentication.data.touchid.instigator.ppid additional.fields[authentication_data_touch_id_instigator_ppid]
event.authentication.data.touchid.instigator.codesigning_flags additional.fields[touchid_instigator_codesigning_flags]
event.authentication.data.touchid.instigator.cdhash additional.fields[touchid_instigator_cdhash]
event.authentication.data.touchid.instigator.is_platform_binary additional.fields[touchid_instigator_is_platform_binary]
event.authentication.data.touchid.instigator.is_es_client additional.fields[touchid_instigator_is_es_client]
event.authentication.data.touchid.instigator.group_id additional.fields[touchid_instigator_group_id]
event.authentication.data.touchid.instigator.original_ppid additional.fields[touchid_instigator_original_ppid]
event.authentication.data.touchid.instigator.session_id additional.fields[touchid_instigator_session_id]
event.authentication.data.token.instigator.audit_token.euid principal.process.euid
event.authentication.data.token.instigator.audit_token.ruid principal.process.ruid
event.authentication.data.token.instigator.audit_token.egid principal.process.egid
event.authentication.data.token.instigator.audit_token.rgid principal.process.rgid
event.authentication.data.token.instigator.audit_token.pgid principal.process.pgid
event.authentication.data.token.instigator.audit_token.pid principal.process.pid
event.authentication.data.token.instigator.audit_token.uuid principal.process.product_specific_process_id
event.authentication.data.token.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.authentication.data.token.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.authentication.data.token.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.authentication.data.token.instigator.parent_audit_token.egid process.parent_process.egid
event.authentication.data.token.instigator.parent_audit_token.rgid process.parent_process.rgid
event.authentication.data.token.instigator.parent_audit_token.pgid process.parent_process.pgid
event.authentication.data.token.instigator.parent_audit_token.pid process.parent_process.pid
event.authentication.data.token.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.authentication.data.token.instigator.parent_audit_token.signing_id process.parent_process.file.signature_info.codesign.id
event.authentication.data.token.instigator.executable.path principal.process.file.full_path
event.authentication.data.token.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.authentication.data.token.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.authentication.data.token.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.authentication.data.token.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.authentication.data.token.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.authentication.data.token.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.authentication.data.token.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.authentication.data.token.instigator.executable.stat.st_size principal.process.file.size
event.authentication.data.token.instigator.executable.sha256 principal.process.file.sha256
event.authentication.data.token.instigator.executable.sha1 principal.process.file.sha1
event.authentication.data.token.instigator.signing_id additional.fields[authentication_data_token_instigator_signing_id]
event.authentication.data.token.instigator.team_id additional.fields[authentication_data_token_instigator_team_id]
event.authentication.data.token.instigator.ppid additional.fields[authentication_data_token_instigator_ppid]
event.authentication.data.token.instigator.codesigning_flags additional.fields[instigator_codesigning_flags]
event.authentication.data.token.instigator.cdhash additional.fields[instigator_cdhash]
event.authentication.data.token.instigator.is_platform_binary additional.fields[instigator_is_platform_binary]
event.authentication.data.token.instigator.is_es_client additional.fields[instigator_is_es_client]
event.authentication.data.token.instigator.group_id additional.fields[instigator_group_id]
event.authentication.data.token.instigator.original_ppid additional.fields[instigator_original_ppid]
event.authentication.data.token.instigator.session_id additional.fields[instigator_session_id]
event.authentication.data.od.record_name target.user.user_display_name
event.authentication.data.od.db_path additional.fields[db_path]
event.authentication.data.od.node_name additional.fields[node_name]
event.authentication.data.od.record_type additional.fields[record_type]
event.authentication.data.touchid.uid target.user.userid
event.authentication.data.touchid.touchid_mode additional.fields[authentication_data_touchid_touchid_mode]
event.authentication.data.token.pubkey_hash additional.fields[authentication_data_token_pubkey_hash]
event.authentication.data.token.token_id additional.fields[authentication_data_token_token_id]
event.authentication.data.token.kerberos_principal additional.fields[authentication_data_token_kerberos_principal]
event.authentication.data.auto_unlock.username target.user.user_display_name
event.authentication.data.auto_unlock.type additional.fields[authentication_data_auto_unlock_type]
event.authentication.type extensions.auth.mechanism If the event.authentication.type log field value is equal to 0 then, the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD.
Else If the event.authentication.type log field value is equal to 1 then, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER.
Else If the event.authentication.type log field value is equal to 2 then, the extensions.auth.mechanism UDM field is set to HARDWARE_KEY.
Else, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER.
event.authentication.success security_result.category If the event.authentication.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION.

event_type: btm_launch_item_add

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to btm_launch_item_add.
metadata.description Apple's Background Task Manager notifies that a new persistence item has been added. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to PROCESS_LAUNCH.
event.btm_launch_item_add.instigator.audit_token.euid principal.process.euid
event.btm_launch_item_add.instigator.audit_token.ruid principal.process.ruid
event.btm_launch_item_add.instigator.audit_token.egid principal.process.egid
event.btm_launch_item_add.instigator.audit_token.rgid principal.process.rgid
event.btm_launch_item_add.instigator.audit_token.pgid principal.process.pgid
event.btm_launch_item_add.instigator.audit_token.pid principal.process.pid
event.btm_launch_item_add.instigator.audit_token.uuid principal.process.product_specific_process_id
event.btm_launch_item_add.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.btm_launch_item_add.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.btm_launch_item_add.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.btm_launch_item_add.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.btm_launch_item_add.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.btm_launch_item_add.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.btm_launch_item_add.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.btm_launch_item_add.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.btm_launch_item_add.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.btm_launch_item_add.instigator.executable.path principal.process.file.full_path
event.btm_launch_item_add.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.btm_launch_item_add.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.btm_launch_item_add.instigator.executable.stat.stat_inode principal.process.file.stat_inode
event.btm_launch_item_add.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.btm_launch_item_add.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.btm_launch_item_add.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.btm_launch_item_add.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.btm_launch_item_add.instigator.executable.stat.st_size principal.process.file.size
event.btm_launch_item_add.instigator.executable.sha256 principal.process.file.sha256
event.btm_launch_item_add.instigator.executable.sha1 principal.process.file.sha1
event.btm_launch_item_add.instigator.signing_id additional.fields[btm_launch_item_add_data_token_instigator_signing_id]
event.btm_launch_item_add.instigator.team_id additional.fields[btm_launch_item_add_data_token_instigator_team_id]
event.btm_launch_item_add.instigator.ppid additional.fields[btm_launch_item_add_data_token_instigator_ppid]
event.btm_launch_item_add.instigator.codesigning_flags additional.fields[btm_launch_item_add_instigator_codesigning_flags]
event.btm_launch_item_add.instigator.cdhash additional.fields[btm_launch_item_add_instigator_cdhash]
event.btm_launch_item_add.instigator.is_platform_binary additional.fields[btm_launch_item_add_instigator_is_platform_binary]
event.btm_launch_item_add.instigator.is_es_client additional.fields[btm_launch_item_add_instigator_is_es_client]
event.btm_launch_item_add.instigator.group_id additional.fields[btm_launch_item_add_instigator_group_id]
event.btm_launch_item_add.instigator.original_ppid additional.fields[btm_launch_item_add_instigator_original_ppid]
event.btm_launch_item_add.instigator.session_id additional.fields[btm_launch_item_add_instigator_session_id]
event.btm_launch_item_add.app.audit_token.euid target.process.euid
event.btm_launch_item_add.app.audit_token.ruid target.process.ruid
event.btm_launch_item_add.app.audit_token.egid target.process.egid
event.btm_launch_item_add.app.audit_token.rgid target.process.rgid
event.btm_launch_item_add.app.audit_token.pgid target.process.pgid
event.btm_launch_item_add.app.audit_token.pid target.process.pid
event.btm_launch_item_add.app.audit_token.uuid target.process.product_specific_process_id
event.btm_launch_item_add.app.audit_token.signing_id target.process.file.signature_info.codesign.id
event.btm_launch_item_add.app.parent_audit_token.euid target.process.parent_process.euid
event.btm_launch_item_add.app.parent_audit_token.ruid target.process.parent_process.ruid
event.btm_launch_item_add.app.parent_audit_token.egid target.process.parent_process.egid
event.btm_launch_item_add.app.parent_audit_token.rgid target.process.parent_process.rgid
event.btm_launch_item_add.app.parent_audit_token.pid target.process.parent_process.pid
event.btm_launch_item_add.app.parent_audit_token.uuid target.process.parent_process.product_specific_process_id
event.btm_launch_item_add.app.parent_audit_token.signing_id target.process.parent_process.file.signature_info.codesign.id
event.btm_launch_item_add.app.executable.path target.process.file.full_path
event.btm_launch_item_add.app.executable.stat.st_dev target.process.file.stat_dev
event.btm_launch_item_add.app.executable.stat.st_flags target.process.file.stat_flags
event.btm_launch_item_add.app.executable.stat.st_ino target.process.file.stat_inode
event.btm_launch_item_add.app.executable.stat.st_mode target.process.file.stat_mode
event.btm_launch_item_add.app.executable.stat.st_mtimespec target.process.file.last_modification_time
event.btm_launch_item_add.app.executable.stat.st_atimespec target.process.file.last_access_time
event.btm_launch_item_add.app.executable.stat.st_nlink target.process.file.stat_nlink
event.btm_launch_item_add.app.executable.stat.st_size target.process.file.size
event.btm_launch_item_add.app.executable.sha256 target.process.file.sha256
event.btm_launch_item_add.app.executable.sha1 target.process.file.sha1
event.btm_launch_item_add.app.signing_id additional.fields[btm_launch_item_add_app_signing_id]
event.btm_launch_item_add.app.team_id additional.fields[btm_launch_item_add_app_team_id]
event.btm_launch_item_add.app.ppid additional.fields[btm_launch_item_add_app_ppid]
event.btm_launch_item_add.app.codesigning_flags additional.fields[btm_launch_item_add_app_codesigning_flags]
event.btm_launch_item_add.app.cdhash additional.fields[btm_launch_item_add_app_cdhash]
event.btm_launch_item_add.app.is_platform_binary additional.fields[btm_launch_item_add_app_is_platform_binary]
event.btm_launch_item_add.app.is_es_client additional.fields[btm_launch_item_add_app_is_es_client]
event.btm_launch_item_add.app.group_id additional.fields[btm_launch_item_add_app_group_id]
event.btm_launch_item_add.app.original_ppid additional.fields[btm_launch_item_add_app_group_id]
event.btm_launch_item_add.app.session_id additional.fields[btm_launch_item_add_app_session_id]
event.btm_launch_item_add.executable_path target.file.full_path If the event.btm_launch_item_add.item.item_type log field value is equal to 4 or the event.btm_launch_item_add.item.item_type log field value is equal to 3 and if the event.btm_launch_item_add.executable_path log field value is not empty and if the event.btm_launch_item_add.executable_path log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.executable_path log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_add.executable_path log field is mapped to the target.file.full_path UDM field.
Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.executable_path} log field is mapped to the target.file.full_path UDM field.
Else If the event.btm_launch_item_add.item.item_url log field value is not empty and if the event.btm_launch_item_add.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_add.item.item_url log field is mapped to the target.resource.name UDM field.
Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url} log field is mapped to the target.resource.name UDM field.
event.btm_launch_item_add.item.item_url target.file.full_path If the event.btm_launch_item_add.item.item_type log field value is equal to 0 or the event.btm_launch_item_add.item.item_type log field value is equal to 1 or the event.btm_launch_item_add.item.item_type log field value is equal to 2 and if the event.btm_launch_item_add.item.item_url log field value is not empty and if the event.btm_launch_item_add.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_add.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then the event.btm_launch_item_add.item.item_url log field is mapped to the target.file.full_path UDM field.
Else, %{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url} log field is mapped to the target.file.full_path UDM field.
event.btm_launch_item_add.item.uid target.user.userid
event.btm_launch_item_add.item.item_type target.application If the event.btm_launch_item_add.item.item_type log field value is equal to 0 then, the target.application UDM field is set to USER_ITEM.
Else, if event.btm_launch_item_add.item.item_type log field value is equal to 1 then, the target.application UDM field is set to APP.
Else, if event.btm_launch_item_add.item.item_type log field value is equal to 2 then, the target.application UDM field is set to LOGIN_ITEM.
Else, if event.btm_launch_item_add.item.item_type log field value is equal to 3 then, the target.application UDM field is set to AGENT.
Else, if event.btm_launch_item_add.item.item_type log field value is equal to 4 then, the target.application UDM field is set to DAEMON.
event.btm_launch_item_add.item.managed additional.fields[btm_launch_item_add_item_managed]
event.btm_launch_item_add.item.legacy additional.fields[btm_launch_item_add_item_legacy]

event_type: btm_launch_item_remove

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to btm_launch_item_remove.
metadata.description Apple's Background Task Manager notified that an item has been removed. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to PROCESS_TERMINATION.
event.btm_launch_item_remove.instigator.audit_token.euid principal.process.euid
event.btm_launch_item_remove.instigator.audit_token.ruid principal.process.ruid
event.btm_launch_item_remove.instigator.audit_token.egid principal.process.egid
event.btm_launch_item_remove.instigator.audit_token.rgid principal.process.rgid
event.btm_launch_item_remove.instigator.audit_token.pgid principal.process.pgid
event.btm_launch_item_remove.instigator.audit_token.pid principal.process.pid
event.btm_launch_item_remove.instigator.audit_token.uuid principal.process.product_specific_process_id
event.btm_launch_item_remove.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.btm_launch_item_remove.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.btm_launch_item_remove.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.btm_launch_item_remove.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.btm_launch_item_remove.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.btm_launch_item_remove.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.btm_launch_item_remove.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.btm_launch_item_remove.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.btm_launch_item_remove.instigator.executable.path principal.process.file.full_path
event.btm_launch_item_remove.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.btm_launch_item_remove.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.btm_launch_item_remove.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.btm_launch_item_remove.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.btm_launch_item_remove.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.btm_launch_item_remove.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.btm_launch_item_remove.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.btm_launch_item_remove.instigator.executable.stat.st_size principal.process.file.size
event.btm_launch_item_remove.instigator.executable.sha256 principal.process.file.sha256
event.btm_launch_item_remove.instigator.executable.sha1 principal.process.file.sha1
event.btm_launch_item_remove.instigator.codesigning_flags additional.fields[btm_launch_item_remove_instigator_codesigning_flags]
event.btm_launch_item_remove.instigator.cdhash additional.fields[btm_launch_item_remove_instigator_cdhash]
event.btm_launch_item_remove.instigator.is_es_client additional.fields[btm_launch_item_remove_instigator_is_es_client]
event.btm_launch_item_remove.instigator.group_id additional.fields[btm_launch_item_remove_instigator_group_id]
event.btm_launch_item_remove.instigator.original_ppid additional.fields[btm_launch_item_remove_instigator_original_ppid]
event.btm_launch_item_remove.instigator.session_id additional.fields[btm_launch_item_remove_instigator_session_id]
event.btm_launch_item_remove.app.audit_token.euid target.process.euid
event.btm_launch_item_remove.app.audit_token.ruid target.process.ruid
event.btm_launch_item_remove.app.audit_token.egid target.process.egid
event.btm_launch_item_remove.app.audit_token.rgid target.process.rgid
event.btm_launch_item_remove.app.audit_token.pgid target.process.pgid
event.btm_launch_item_remove.app.audit_token.pid target.process.pid
event.btm_launch_item_remove.app.audit_token.uuid target.process.product_specific_process_id
event.btm_launch_item_remove.app.audit_token.signing_id target.process.file.signature_info.codesign.id
event.btm_launch_item_remove.app.parent_audit_token.euid target.process.parent_process.euid
event.btm_launch_item_remove.app.parent_audit_token.ruid target.process.parent_process.ruid
event.btm_launch_item_remove.app.parent_audit_token.egid target.process.parent_process.egid
event.btm_launch_item_remove.app.parent_audit_token.rgid target.process.parent_process.rgid
event.btm_launch_item_remove.app.parent_audit_token.pgid target.process.parent_process.pgid
event.btm_launch_item_remove.app.parent_audit_token.pid target.process.parent_process.pid
event.btm_launch_item_remove.app.parent_audit_token.uuid target.process.parent_process.product_specific_process_id
event.btm_launch_item_remove.app.executable.path target.process.file.full_path
event.btm_launch_item_remove.app.executable.stat.st_dev target.process.file.stat_dev
event.btm_launch_item_remove.app.executable.stat.st_flags target.process.file.stat_flags
event.btm_launch_item_remove.app.executable.stat.st_ino target.process.file.stat_inode
event.btm_launch_item_remove.app.executable.stat.st_mode target.process.file.stat_mode
event.btm_launch_item_remove.app.executable.stat.st_mtimespec target.process.file.last_modification_time
event.btm_launch_item_remove.app.executable.stat.st_atimespec target.process.file.last_access_time
event.btm_launch_item_remove.app.executable.stat.st_nlink target.process.file.stat_nlink
event.btm_launch_item_remove.app.executable.stat.st_size target.process.file.size
event.btm_launch_item_remove.app.executable.sha256 target.process.file.sha256
event.btm_launch_item_remove.app.executable.sha1 target.process.file.sha1
event.btm_launch_item_remove.app.signing_id additional.fields[btm_launch_item_remove_app_signing_id]
event.btm_launch_item_remove.app.team_id additional.fields[btm_launch_item_remove_app_team]
event.btm_launch_item_remove.app.ppid additional.fields[btm_launch_item_remove_app_ppid]
event.btm_launch_item_remove.app.codesigning_flags additional.fields[btm_launch_item_remove_app_codesigning_flags]
event.btm_launch_item_remove.app.cdhash additional.fields[btm_launch_item_remove_app_cdhash]
event.btm_launch_item_remove.app.is_platform_binary additional.fields[additional.fields[btm_launch_item_remove_app_cdhash]]
event.btm_launch_item_remove.app.is_es_client additional.fields[additional.fields[btm_launch_item_remove_app_is_es_client]]
event.btm_launch_item_remove.app.group_id additional.fields[additional.fields[btm_launch_item_remove_app_group_id]]
event.btm_launch_item_remove.app.original_ppid additional.fields[additional.fields[btm_launch_item_remove_app_original_ppid]]
event.btm_launch_item_remove.app.session_id additional.fields[additional.fields[btm_launch_item_remove_app_session_id]]
event.btm_launch_item_remove.item.app_url target.file.full_path If the event.btm_launch_item_remove.item.item_url log field value is not empty and if the event.btm_launch_item_remove.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_remove.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_remove.item.item_url log field is mapped to the target.file.full_path UDM field.
Else, %{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url} log field is mapped to the target.file.full_path UDM field.
event.btm_launch_item_remove.item.item_url target.file.full_path If the event.btm_launch_item_remove.item.item_url log field value is not empty and if the event.btm_launch_item_remove.item.item_url log field value matches the regular expression pattern /^file:./ or the event.btm_launch_item_remove.item.item_url log field value does not match the regular expression pattern /^[a-zA-Z0-9] then, event.btm_launch_item_remove.item.item_url log field is mapped to the target.file.full_path UDM field.
Else, %{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url} log field is mapped to the target.file.full_path UDM field.
event.btm_launch_item_remove.item.uid target.user.userid
event.btm_launch_item_remove.executable_path target.file.full_path
event.btm_launch_item_remove.item.item_type target.application If the event.btm_launch_item_remove.item.item_type log field value is equal to 0 then, the target.application UDM field is set to USER_ITEM.
Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 1 then, the target.application UDM field is set to APP.
Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 2 then, the target.application UDM field is set to LOGIN_ITEM.
Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 3 then, the target.application UDM field is set to AGENT.
Else, if event.btm_launch_item_remove.item.item_type log field value is equal to 4 then, the target.application UDM field is set to DAEMON.
event.btm_launch_item_remove.item.managed additional.fields[btm_launch_item_remove_item_managed]
event.btm_launch_item_remove.item.legacy additional.fields[btm_launch_item_remove_item_legacy]
event.btm_launch_item_remove.app.parent_audit_token.signing_id target.process.parent_process.file.signature_info.codesign.id

event_type: chroot

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to chroot.
metadata.description A piece of software has changed its apparent root directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to FILE_MODIFICATION.
event.chroot.target.path target.file.full_path
event.chroot.target.stat.st_dev target.file.stat_dev
event.chroot.target.stat.st_flags target.file.stat_flags
event.chroot.target.stat.st_ino target.file.stat_inode
event.chroot.target.stat.st_mode target.file.stat_mode
event.chroot.target.stat.st_mtimespec target.file.last_modification_time
event.chroot.target.stat.st_atimespec target.file.last_access_time
event.chroot.target.stat.st_nlink target.file.stat_nlink
event.chroot.target.stat.st_size target.file.size
event.chroot.target.sha256 target.file.sha256
event.chroot.target.sha1 target.file.sha1

event_type: exec

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to exec.
metadata.description An executable has been loaded into memory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to PROCESS_LAUNCH.
process.responsible_audit_token.euid principal.process.euid
process.responsible_audit_token.ruid principal.process.ruid
process.responsible_audit_token.egid principal.process.egid
process.responsible_audit_token.rgid principal.process.rgid
process.responsible_audit_token.pgid principal.process.pgid
process.responsible_audit_token.pid principal.process.pid
process.responsible_audit_token.uuid principal.process.product_specific_process_id
process.responsible_audit_token.signing_id principal.process.file.signature_info.codesign.id
event.exec.target.audit_token.euid target.process.euid
event.exec.target.audit_token.ruid target.process.ruid
event.exec.target.audit_token.egid target.process.egid
event.exec.target.audit_token.rgid target.process.rgid
event.exec.target.audit_token.pgid target.process.pgid
event.exec.target.audit_token.pid target.process.pid
event.exec.target.audit_token.uuid target.process.product_specific_process_id
event.exec.target.parent_audit_token.euid target.process.parent_process.euid
event.exec.target.parent_audit_token.ruid target.process.parent_process.ruid
event.exec.target.parent_audit_token.egid target.process.parent_process.egid
event.exec.target.parent_audit_token.rgid target.process.parent_process.rgid
event.exec.target.parent_audit_token.pgid target.process.parent_process.pgid
event.exec.target.parent_audit_token.pid target.process.parent_process.pid
event.exec.target.parent_audit_token.uuid target.process.parent_process.product_specific_process_id
event.exec.target.parent_audit_token.signing_id target.process.parent_process.file.signature_info.codesign.id
event.exec.target.executable.path target.process.file.full_path
event.exec.target.executable.stat.st_dev target.process.file.stat_dev
event.exec.target.executable.stat.st_flags target.process.file.stat_flags
event.exec.target.executable.stat.st_ino target.process.file.stat_inode
event.exec.target.executable.stat.st_mode target.process.file.stat_mode
event.exec.target.executable.stat.st_mtimespec target.process.file.last_modification_time
event.exec.target.executable.stat.st_atimespec target.process.file.last_access_time
event.exec.target.executable.stat.st_nlink target.process.file.stat_nlink
event.exec.target.executable.stat.st_size target.process.file.size
event.exec.target.executable.sha256 target.process.file.sha256
event.exec.target.executable.sha1 target.process.file.sha1
event.exec.target.signing_id additional.fields[exec_target_signing_id]
event.exec.target.team_id additional.fields[exec_target_team_id]
event.exec.target.ppid additional.fields[exec_target_ppid]
event.exec.target.codesigning_flags additional.fields[exec_target_codesigning_flags]
event.exec.target.cdhash additional.fields[exec_target_cdhash]
event.exec.target.is_platform_binary additional.fields[exec_target_is_platform_binary]
event.exec.target.is_es_client additional.fields[exec_target_is_es_client]
event.exec.target.group_id additional.fields[exec_target_group_id]
event.exec.target.original_ppid additional.fields[exec_target_original_ppid]
event.exec.target.session_id additional.fields[exec_target_session_id]
event.exec.args target.process.command_line
event.exec.cwd.path additional.fields[exec_cwd_path]
event.exec.dyld_exec_path additional.fields[exec_dyld_exec_path]
event.exec.script.path additional.fields[exec_script_path]
event.exec.tty.path additional.fields[exec_tty_path]
event.exec.image_cpusubtype additional.fields[exec_image_cpusubtype]
event.exec.image_cputype additional.fields[exec_image_cputype]
event.exec.target.audit_token.signing_id target.process.file.signature_info.codesign.id

event_type: file_collection

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to file_collection.
metadata.description Event occurs when data from a Diagnsostic or Crash Report file is collected from the system. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.file_collection.path target.file.path
event.file_collection.size target.file.size
event.file_collection.contents additional.fields[file_collection_contents]

event_type: kextload

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to kextload.
metadata.description A kernel extension (kext) was loaded. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.kextload.identifier target.resource.name

event_type: kextunload

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to kextunload.
metadata.description A kernel extension (kext) was unloaded. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.kextunload.identifier target.resource.name

event_type: log_collection

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to log_collection.
metadata.description Collection of entries from a local log file. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.log_collection.texts target.file.names
event.log_collection.path.0 target.file.full_path

event_type: login_login

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to login_login.
metadata.description A user attempted to log in via /usr/bin/login. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
extensions.auth.type The extensions.auth.type UDM field is set to MACHINE.
event.login_login.uid target.user.userid
event.login_login.username target.user.user_display_name
event.login_login.success security_result.category If the event.login_login.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION.
event.login_login.failure_message security_result.category_details If the event.login_login.success log field value is equal to false then, event.login_login.failure_message log field is mapped to the security_result.category_details UDM field.

event_type: login_logout

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to login_logout.
metadata.description A user logged out via /usr/bin/login. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGOUT.
extensions.auth.type The extensions.auth.type UDM field is set to MACHINE.
event.login_logout.uid target.user.userid
event.login_logout.username target.user.user_display_name

event_type: lw_session_login

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to lw_session_login.
metadata.description A user has logged in via the Login Window. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
extensions.auth.type The extensions.auth.type UDM field is set to MACHINE.
event.lw_session_login.username target.user.user_display_name

event_type: bios_uefi

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to bios_uefi.
metadata.description Information about the current version of bios and uefi on the device. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.bios_uefi.firmware-version additional.fields[bios_uefi_firmware_version]
event.bios_uefi.system-firmware-version additional.fields[bios_uefi_system_firmware_version]
event.bios_uefi.architecture additional.fields[bios_uefi_architecture]
event.bios_uefi.bios.firmware-version additional.fields[bios_uefi_bios_firmware_version]
event.bios_uefi.bios.vendor additional.fields[bios_uefi_bios_vendor]
event.bios_uefi.bios.firmware-features additional.fields[bios_uefi_bios_firmware_features]
event.bios_uefi.bios.rom-size additional.fields[bios_uefi_bios_rom_size]
event.bios_uefi.bios.booter-version additional.fields[bios_uefi_bios_booter_version]

event_type: cs_invalidated

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to cs_invalidated.
metadata.description A process has had its code signature marked as invalid. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.

event_type: gatekeeper_user_override

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to gatekeeper_user_override.
metadata.description A user overrides Gatekeeper. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.gatekeeper_user_override.file.path target.file.full_path
event.gatekeeper_user_override.file.stat.st_dev target.file.stat_dev
event.gatekeeper_user_override.file.stat.st_flags target.file.stat_flags
event.gatekeeper_user_override.file.stat.st_ino target.file.stat_inode
event.gatekeeper_user_override.file.stat.st_mode target.file.stat_mode
event.gatekeeper_user_override.file.stat.st_mtimespec target.file.last_modification_time
event.gatekeeper_user_override.file.stat.st_atimespec target.file.last_access_time
event.gatekeeper_user_override.file.stat.st_nlink target.file.stat_nlink
event.gatekeeper_user_override.file.stat.st_size target.file.size
event.gatekeeper_user_override.file.sha256 target.file.sha256
event.gatekeeper_user_override.file.sha1 target.file.sha1
event.gatekeeper_user_override.signing_info.signing_id additional.fields[exec_gatekeeper_user_override_signing_info_signing_id]
event.gatekeeper_user_override.signing_info.team_id additional.fields[gatekeeper_user_override_signing_info_team_id]
event.gatekeeper_user_override.signing_info.cdhash additional.fields[gatekeeper_user_override_signing_info_cdhash]
event.gatekeeper_user_override.file_type additional.fields[gatekeeper_user_override_file_type]
event.gatekeeper_user_override.sha256 additional.fields[gatekeeper_user_override_sha256]

event_type: lw_session_unlock

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to lw_session_unlock.
metadata.description A user has unlocked the screen from the Login Window. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
extensions.auth.type The extensions.auth.type UDM field is set to MACHINE.
event.lw_session_unlock.username target.user.user_display_name

event_type: lw_session_lock

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to lw_session_lock.
metadata.description A user has locked the screen. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGOUT.
extensions.auth.type The extensions.auth.type UDM field is set to MACHINE.
event.lw_session_lock.username target.user.user_display_name

event_type: lw_session_logout

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to lw_session_logout.
metadata.description A user has logged out of an active graphical session. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGOUT.
extensions.auth.type The extensions.auth.type UDM field is set to MACHINE.
event.lw_session_logout.username target.user.user_display_name

event_type: mount

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to mount.
metadata.description A file system has been mounted. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.mount.statfs.f_owner principal.user.userid
event.mount.device.size target.file.size
event.mount.statfs.f_fstypename target.resource.resource_subtype
event.mount.statfs.f_mntfromname src.resource.name
event.mount.statfs.f_mntonname target.resource.name
event.mount.device.protocol additional.fields[mount_device_protocol]
event.mount.disposition additional.fields[mount_disposition]
event.mount.device.serial_number target.asset.hardware.serial_number If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.serial_number log field is mapped to the target.asset.hardware.serial_number UDM field.
event.mount.device.vendor_name target.asset.hardware.manufacturer If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.vendor_name log field is mapped to the target.asset.hardware.manufacturer UDM field.
event.mount.device.device_model target.asset.hardware.model If the event.mount.device.serial_number log field value is not empty or the event.mount.device.vendor_name log field value is not empty or the event.mount.device.device_model log field value is not empty then, event.mount.device.device_model log field is mapped to the target.asset.hardware.model UDM field.

event_type: od_attribute_set

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_attribute_set.
metadata.description Attribute set on user or group using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT.
event.od_attribute_set.instigator.audit_token.euid principal.process.euid
event.od_attribute_set.instigator.audit_token.ruid principal.process.ruid
event.od_attribute_set.instigator.audit_token.egid principal.process.egid
event.od_attribute_set.instigator.audit_token.rgid principal.process.rgid
event.od_attribute_set.instigator.audit_token.pgid principal.process.pgid
event.od_attribute_set.instigator.audit_token.pid principal.process.pid
event.od_attribute_set.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_attribute_set.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_attribute_set.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_attribute_set.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_attribute_set.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_attribute_set.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_attribute_set.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_attribute_set.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_attribute_set.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_attribute_set.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_attribute_set.instigator.executable.path principal.process.file.full_path
event.od_attribute_set.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_attribute_set.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_attribute_set.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_attribute_set.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_attribute_set.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_attribute_set.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_attribute_set.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_attribute_set.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_attribute_set.instigator.executable.stat.st_size principal.process.file.size
event.od_attribute_set.instigator.executable.sha256 principal.process.file.sha256
event.od_attribute_set.instigator.executable.sha1 principal.process.file.sha1
event.od_attribute_set.instigator.signing_id additional.fields[od_attribute_set_instigator_signing_id]
event.od_attribute_set.instigator.team_id additional.fields[od_attribute_set_instigator_team_id]
event.od_attribute_set.instigator.ppid additional.fields[od_attribute_set_instigator_codesigning_flags]
event.od_attribute_set.instigator.codesigning_flags additional.fields[od_attribute_set_instigator_ppid]
event.od_attribute_set.instigator.cdhash additional.fields[od_attribute_set_instigator_cdhash]
event.od_attribute_set.instigator.is_platform_binary additional.fields[od_attribute_set_instigator_is_platform_binary]
event.od_attribute_set.instigator.is_es_client additional.fields[od_attribute_set_instigator_is_es_client]
event.od_attribute_set.instigator.group_id additional.fields[od_attribute_set_instigator_group_id]
event.od_attribute_set.instigator.original_ppid additional.fields[od_attribute_set_instigator_original_ppid]
event.od_attribute_set.instigator.session_id additional.fields[od_attribute_set_instigator_session_id]
event.od_attribute_set.attribute_name target.resource.resource_subtype
event.od_attribute_value_add.attribute_value target.resource.name
event.od_attribute_set.record_name target.user.user_display_name
event.od_attribute_set.instigator_token.euid principal.user.userid
event.od_attribute_set.db_path additional.fields[event_od_attribute_set_db_path]
event.od_attribute_set.node_name additional.fields[event_od_attribute_set_node_name]
event.od_attribute_set.record_type additional.fields[event_od_attribute_set_record_type]
event.od_attribute_set.error_code additional.fields[event_od_attribute_set_error_code]

event_type: od_attribute_value_add

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_attribute_value_add.
metadata.description Attribute set on user or group using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.od_attribute_value_add.instigator.audit_token.euid principal.process.euid
event.od_attribute_value_add.instigator.audit_token.ruid principal.process.ruid
event.od_attribute_value_add.instigator.audit_token.egid principal.process.egid
event.od_attribute_value_add.instigator.audit_token.rgid principal.process.rgid
event.od_attribute_value_add.instigator.audit_token.pgid principal.process.pgid
event.od_attribute_value_add.instigator.audit_token.pid principal.process.pid
event.od_attribute_value_add.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_attribute_value_add.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_attribute_value_add.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_attribute_value_add.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_attribute_value_add.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_attribute_value_add.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_attribute_value_add.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_attribute_set.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_attribute_value_add.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_attribute_value_add.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_attribute_value_add.instigator.executable.path principal.process.file.full_path
event.od_attribute_value_add.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_attribute_value_add.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_attribute_value_add.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_attribute_value_add.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_attribute_value_add.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_attribute_value_add.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_attribute_value_add.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_attribute_value_add.instigator.executable.stat.st_size principal.process.file.size
event.od_attribute_value_add.instigator.executable.sha256 principal.process.file.sha256
event.od_attribute_value_add.instigator.executable.sha1 principal.process.file.sha1
event.od_attribute_value_add.instigator.signing_id additional.fields[od_attribute_value_add_instigator_signing_id]
event.od_attribute_value_add.instigator.team_id additional.fields[od_attribute_value_add_instigator_team_id]
event.od_attribute_value_add.instigator.ppid additional.fields[od_attribute_value_add_instigator_ppid]
event.od_attribute_value_add.instigator.codesigning_flags additional.fields[od_attribute_set_instigator_codesigning_flags]
event.od_attribute_value_add.instigator.cdhash additional.fields[od_attribute_value_add_instigator_codesigning_flags]
event.od_attribute_value_add.instigator.is_platform_binary additional.fields[od_attribute_set_instigator_is_platform_binary]
event.od_attribute_value_add.instigator.is_es_client additional.fields[od_attribute_value_add_instigator_is_es_client]
event.od_attribute_value_add.instigator.group_id additional.fields[od_attribute_value_add_instigator_group_id]
event.od_attribute_value_add.instigator.original_ppid additional.fields[od_attribute_value_add_instigator_original_pp]
event.od_attribute_value_add.instigator.session_id additional.fields[od_attribute_value_add_instigator_session_id]
event.od_attribute_value_add.attribute_name target.resource.resource_subtype
event.od_attribute_value_add.attribute_value target.resource.name
event.od_attribute_value_add.record_name target.user.user_display_name
event.od_attribute_value_add.db_path additional.fields[od_attribute_value_add_db_path]
event.od_attribute_value_add.node_name additional.fields[od_attribute_value_add_node_name]
event.od_attribute_value_add.record_type additional.fields[od_attribute_value_add_record_type]
event.od_attribute_value_add.error_code additional.fields[od_attribute_value_add_error_code]

event_type: od_attribute_value_remove

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_attribute_value_remove.
metadata.description Attribute removed from a user or group using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_RESOURCE_DELETION.
event.od_attribute_value_remove.instigator.audit_token.euid principal.process.euid
event.od_attribute_value_remove.instigator.audit_token.ruid principal.process.ruid
event.od_attribute_value_remove.instigator.audit_token.egid principal.process.egid
event.od_attribute_value_remove.instigator.audit_token.rgid principal.process.rgid
event.od_attribute_value_remove.instigator.audit_token.pgid principal.process.pgid
event.od_attribute_value_remove.instigator.audit_token.pid principal.process.pid
event.od_attribute_value_remove.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_attribute_value_remove.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_attribute_value_remove.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_attribute_value_remove.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_attribute_value_remove.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_attribute_value_remove.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_attribute_value_remove.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_attribute_value_remove.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_attribute_value_remove.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_attribute_value_remove.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_attribute_value_remove.instigator.executable.path principal.process.file.full_path
event.od_attribute_value_remove.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_attribute_value_remove.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_attribute_value_remove.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_attribute_value_remove.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_attribute_value_remove.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_attribute_value_remove.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_attribute_value_remove.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_attribute_value_remove.instigator.executable.stat.st_size principal.process.file.size
event.od_attribute_value_remove.instigator.executable.sha256 principal.process.file.sha256
event.od_attribute_value_remove.instigator.executable.sha1 principal.process.file.sha1
event.od_attribute_value_remove.instigator.codesigning_flags additional.fields[od_attribute_value_remove_instigator_codesigning_flags]
event.od_attribute_value_remove.instigator.cdhash additional.fields[od_attribute_value_remove_instigator_codesigning_flags]
event.od_attribute_value_remove.instigator.is_platform_binary additional.fields[od_attribute_value_remove_instigator_is_platform_binary]
event.od_attribute_value_remove.instigator.is_es_client additional.fields[od_attribute_value_remove_instigator_is_es_client]
event.od_attribute_value_remove.instigator.group_id additional.fields[od_attribute_value_remove_instigator_group_id]
event.od_attribute_value_remove.instigator.original_ppid additional.fields[od_attribute_value_remove_instigator_original_pp]
event.od_attribute_value_remove.instigator.session_id additional.fields[od_attribute_value_remove_instigator_session_id]
event.od_attribute_value_remove.attribute_name target.resource.resource_subtype
event.od_attribute_value_remove.attribute_value target.resource.name
event.od_attribute_value_remove.record_name target.user.user_display_name
event.od_attribute_value_remove.db_path additional.fields[od_attribute_value_remove_db_path]
event.od_attribute_value_remove.node_name additional.fields[od_attribute_value_remove_node_name]
event.od_attribute_value_remove.record_type additional.fields[od_attribute_value_remove_record_type]
event.od_attribute_value_remove.error_code additional.fields[od_attribute_value_remove_error_code]

event_type: od_create_group

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_create_group.
metadata.description A group has been created using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to GROUP_CREATION.
event.od_create_group.instigator.audit_token.euid principal.process.euid
event.od_create_group.instigator.audit_token.ruid principal.process.ruid
event.od_create_group.instigator.audit_token.egid principal.process.egid
event.od_create_group.instigator.audit_token.rgid principal.process.rgid
event.od_create_group.instigator.audit_token.pgid principal.process.pgid
event.od_create_group.instigator.audit_token.pid principal.process.pid
event.od_create_group.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_create_group.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_create_group.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_create_group.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_create_group.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_create_group.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_create_group.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_create_group.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_create_group.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_create_group.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_create_group.instigator.executable.path principal.process.file.full_path
event.od_create_group.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_create_group.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_create_group.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_create_group.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_create_group.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_create_group.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_create_group.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_create_group.instigator.executable.stat.st_size principal.process.file.size
event.od_create_group.instigator.executable.sha256 principal.process.file.sha256
event.od_create_group.instigator.executable.sha1 principal.process.file.sha1
event.od_create_group.instigator.signing_id additional.fields[od_create_group_instigator_signing_id]
event.od_create_group.instigator.team_id additional.fields[od_create_group_instigator_team_id]
event.od_create_group.instigator.ppid additional.fields[od_create_group_instigator_ppid]
event.od_create_group.instigator.codesigning_flags additional.fields[od_create_group_instigator_codesigning_flags]
event.od_create_group.instigator.cdhash additional.fields[od_create_group_instigator_cdhash]
event.od_create_group.instigator.is_platform_binary additional.fields[od_create_group_instigator_is_platform_binary]
event.od_create_group.instigator.is_es_client additional.fields[od_create_group_instigator_is_es_client]
event.od_create_group.instigator.group_id additional.fields[od_create_group_instigator_group_id]
event.od_create_group.instigator.original_ppid additional.fields[od_create_group_instigator_original_pp]
event.od_create_group.instigator.session_id additional.fields[od_create_group_instigator_session_id]
event.od_create_group.group_name target.group.group_display_name
event.od_create_group.instigator_token.euid principal.user.userid
od_create_group.db_path additional.fields[od_create_group_db_path]
event.od_create_group.node_name additional.fields[od_create_group_node_name]
event.od_create_group.error_code additional.fields[od_create_group_error_code]

event_type: od_delete_group

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_delete_group.
metadata.description A group has been deleted using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to GROUP_DELETION.
event.od_delete_group.instigator.audit_token.euid principal.process.euid
event.od_delete_group.instigator.audit_token.ruid principal.process.ruid
event.od_delete_group.instigator.audit_token.egid principal.process.egid
event.od_delete_group.instigator.audit_token.rgid principal.process.rgid
event.od_delete_group.instigator.audit_token.pgid principal.process.pgid
event.od_delete_group.instigator.audit_token.pid principal.process.pid
event.od_delete_group.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_delete_group.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_delete_group.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_delete_group.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_delete_group.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_delete_group.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_delete_group.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_delete_group.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_delete_group.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_delete_group.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_delete_group.instigator.executable.path principal.process.file.full_path
event.od_delete_group.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_delete_group.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_delete_group.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_delete_group.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_delete_group.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_delete_group.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_delete_group.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_delete_group.instigator.executable.stat.st_size principal.process.file.size
event.od_delete_group.instigator.executable.sha256 principal.process.file.sha256
event.od_delete_group.instigator.executable.sha1 principal.process.file.sha1
event.od_delete_group.instigator.signing_id additional.fields[od_delete_group_instigator_signing_id]
event.od_delete_group.instigator.team_id additional.fields[od_delete_group_instigator_team_id]
event.od_delete_group.instigator.ppid additional.fields[od_delete_group_instigator_ppid]
event.od_delete_group.instigator.codesigning_flags additional.fields[od_delete_group_instigator_codesigning_flags]
event.od_delete_group.instigator.cdhash additional.fields[od_delete_group_instigator_cdhash]
event.od_delete_group.instigator.is_platform_binary additional.fields[od_delete_group_instigator_is_platform_binary]
event.od_delete_group.instigator.is_es_client additional.fields[od_delete_group_instigator_is_es_client]
event.od_delete_group.instigator.group_id additional.fields[od_delete_group_instigator_group_id]
event.od_delete_group.instigator.original_ppid additional.fields[od_delete_group_instigator_original_pp]
event.od_delete_group.instigator.session_id additional.fields[od_delete_group_instigator_session_id]
event.od_delete_group.group_name target.group.group_display_name
event.od_delete_group.instigator_token.euid principal.user.userid
od_delete_group.db_path additional.fields[od_delete_group_db_path]
event.od_delete_group.node_name additional.fields[od_delete_group_node_name]
event.od_delete_group.error_code additional.fields[od_delete_group_error_code]

event_type: od_create_user

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_create_user.
metadata.description A user has been created using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_CREATION.
event.od_create_user.instigator.audit_token.euid principal.process.euid
event.od_create_user.instigator.audit_token.ruid principal.process.ruid
event.od_create_user.instigator.audit_token.egid principal.process.egid
event.od_create_user.instigator.audit_token.rgid principal.process.rgid
event.od_create_user.instigator.audit_token.pgid principal.process.pgid
event.od_create_user.instigator.audit_token.pid principal.process.pid
event.od_create_user.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_create_user.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_create_user.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_create_user.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_create_user.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_create_user.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_create_user.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_create_user.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_create_user.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_create_user.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_create_user.instigator.executable.path principal.process.file.full_path
event.od_create_user.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_create_user.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_create_user.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_create_user.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_create_user.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_create_user.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_create_user.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_create_user.instigator.executable.stat.st_size principal.process.file.size
event.od_create_user.instigator.executable.sha256 principal.process.file.sha256
event.od_create_user.instigator.executable.sha1 principal.process.file.sha1
event.od_create_user.instigator.signing_id additional.fields[od_create_user_instigator_signing_id]
event.od_create_user.instigator.team_id additional.fields[od_create_user_instigator_team_id]
event.od_create_user.instigator.ppid additional.fields[od_create_user_instigator_ppid]
event.od_create_user.instigator.codesigning_flags additional.fields[od_create_user_instigator_codesigning_flags]
event.od_create_user.instigator.cdhash additional.fields[od_create_user_instigator_cdhash]
event.od_create_user.instigator.is_platform_binary additional.fields[od_create_user_instigator_is_platform_binary]
event.od_create_user.instigator.is_es_client additional.fields[od_create_user_instigator_is_es_client]
event.od_create_user.instigator.group_id additional.fields[od_create_user_instigator_group_id]
event.od_create_user.instigator.original_ppid additional.fields[od_create_user_instigator_original_pp]
event.od_create_user.instigator.session_id additional.fields[od_create_user_instigator_session_id]
event.od_create_user.user_name target.user.userid
event.od_create_user.instigator_token.euid principal.user.userid
event.od_create_user.db_path additional.fields[od_create_user_db_path]
event.od_create_user.node_name additional.fields[od_create_user_node_name]
event.od_create_user.error_code additional.fields[od_create_user_error_code]

event_type: od_delete_user

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_delete_user.
metadata.description A user has been deleted using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_DELETION.
event.od_delete_user.instigator.audit_token.euid principal.process.euid
event.od_delete_user.instigator.audit_token.ruid principal.process.ruid
event.od_delete_user.instigator.audit_token.egid principal.process.egid
event.od_delete_user.instigator.audit_token.rgid principal.process.rgid
event.od_delete_user.instigator.audit_token.pgid principal.process.pgid
event.od_delete_user.instigator.audit_token.pid principal.process.pid
event.od_delete_user.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_delete_user.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_delete_user.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_delete_user.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_delete_user.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_delete_user.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_delete_user.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_delete_user.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_delete_user.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_delete_user.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_delete_user.instigator.executable.path principal.process.file.full_path
event.od_delete_user.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_delete_user.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_delete_user.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_delete_user.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_delete_user.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_delete_user.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_delete_user.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_delete_user.instigator.executable.stat.st_size principal.process.file.size
event.od_delete_user.instigator.executable.sha256 principal.process.file.sha256
event.od_delete_user.instigator.executable.sha1 principal.process.file.sha1
event.od_delete_user.instigator.signing_id additional.fields[od_delete_user_instigator_signing_id]
event.od_delete_user.instigator.team_id additional.fields[od_delete_user_instigator_team_id]
event.od_delete_user.instigator.ppid additional.fields[od_delete_user_instigator_ppid]
event.od_delete_user.instigator.codesigning_flags additional.fields[od_delete_user_instigator_codesigning_flags]
event.od_delete_user.instigator.cdhash additional.fields[od_delete_user_instigator_cdhash]
event.od_delete_user.instigator.is_platform_binary additional.fields[od_delete_user_instigator_is_platform_binary]
event.od_delete_user.instigator.is_es_client additional.fields[od_delete_user_instigator_is_es_client]
event.od_delete_user.instigator.group_id additional.fields[od_delete_user_instigator_group_id]
event.od_delete_user.instigator.original_ppid additional.fields[od_delete_user_instigator_original_pp]
event.od_delete_user.instigator.session_id additional.fields[od_delete_user_instigator_session_id]
event.od_delete_user.user_name target.user.userid
event.od_delete_user.instigator_token.euid principal.user.userid
event.od_delete_user.db_path additional.fields[od_delete_user_db_path]
event.od_delete_user.node_name additional.fields[od_delete_user_node_name]
event.od_delete_user.error_code additional.fields[od_delete_user_error_code]
event.od_disable_user.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id

event_type: od_disable_user

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_disable_user.
metadata.description A user has been disabled using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_UNCATEGORIZED.
event.od_disable_user.instigator.audit_token.euid principal.process.euid
event.od_disable_user.instigator.audit_token.ruid principal.process.ruid
event.od_disable_user.instigator.audit_token.egid principal.process.egid
event.od_disable_user.instigator.audit_token.rgid principal.process.rgid
event.od_disable_user.instigator.audit_token.pgid principal.process.pgid
event.od_disable_user.instigator.audit_token.pid principal.process.pid
event.od_disable_user.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_disable_user.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_disable_user.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_disable_user.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_disable_user.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_disable_user.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_disable_user.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_disable_user.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_disable_user.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_disable_user.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_disable_user.instigator.executable.path principal.process.file.full_path
event.od_disable_user.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_disable_user.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_disable_user.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_disable_user.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_disable_user.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_disable_user.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_disable_user.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_disable_user.instigator.executable.stat.st_size principal.process.file.size
event.od_disable_user.instigator.executable.sha256 principal.process.file.sha256
event.od_disable_user.instigator.executable.sha1 principal.process.file.sha1
event.od_disable_user.instigator.codesigning_flags additional.fields[od_disable_user_instigator_codesigning_flags]
event.od_disable_user.instigator.cdhash additional.fields[od_disable_user_instigator_codesigning_flags]
event.od_disable_user.instigator.is_platform_binary additional.fields[od_disable_user_instigator_is_platform_binary]
event.od_disable_user.instigator.is_es_client additional.fields[od_disable_user_instigator_is_es_client]
event.od_disable_user.instigator.group_id additional.fields[od_disable_user_instigator_group_id]
event.od_disable_user.instigator.original_ppid additional.fields[od_disable_user_instigator_original_pp]
event.od_disable_user.instigator.session_id additional.fields[od_disable_user_instigator_session_id]
event.od_disable_user.user_name target.user.user_display_name
event.od_disable_user.instigator_token.euid principal.user.userid
event.od_disable_user.db_path additional.fields[od_disable_user_db_path]
event.od_disable_user.node_name additional.fields[od_disable_user_node_name]
event.od_disable_user.error_code additional.fields[od_disable_user_error_code]

event_type: od_enable_user

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_enable_user.
metadata.description A user has been enabled using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_UNCATEGORIZED.
event.od_enable_user.instigator.audit_token.euid principal.process.euid
event.od_enable_user.instigator.audit_token.ruid principal.process.ruid
event.od_enable_user.instigator.audit_token.egid principal.process.egid
event.od_enable_user.instigator.audit_token.rgid principal.process.rgid
event.od_enable_user.instigator.audit_token.pgid principal.process.pgid
event.od_enable_user.instigator.audit_token.pid principal.process.pid
event.od_enable_user.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_enable_user.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_enable_user.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_enable_user.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_enable_user.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_enable_user.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_enable_user.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_enable_user.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_enable_user.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_enable_user.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_enable_user.instigator.executable.path principal.process.file.full_path
event.od_enable_user.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_enable_user.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_enable_user.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_enable_user.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_enable_user.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_enable_user.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_enable_user.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_enable_user.instigator.executable.stat.st_size principal.process.file.size
event.od_enable_user.instigator.executable.sha256 principal.process.file.sha256
event.od_enable_user.instigator.executable.sha1 principal.process.file.sha1
event.od_enable_user.instigator.signing_id additional.fields[od_enable_user_instigator_signing_id]
event.od_enable_user.instigator.team_id additional.fields[od_enable_user_instigator_team_id]
event.od_enable_user.instigator.ppid additional.fields[od_enable_user_instigator_ppid]
event.od_enable_user.instigator.codesigning_flags additional.fields[od_enable_user_instigator_codesigning_flags]
event.od_enable_user.instigator.cdhash additional.fields[od_enable_user_instigator_cdhash]
event.od_enable_user.instigator.is_platform_binary additional.fields[od_enable_user_instigator_is_platform_binary]
event.od_enable_user.instigator.is_es_client additional.fields[od_enable_user_instigator_is_es_client]
event.od_enable_user.instigator.group_id additional.fields[od_enable_user_instigator_group_id]
event.od_enable_user.instigator.original_ppid additional.fields[od_enable_user_instigator_original_pp]
event.od_enable_user.instigator.session_id additional.fields[od_enable_user_instigator_session_id]
event.od_enable_user.user_name target.user.user_display_name
event.od_enable_user.instigator_token.euid principal.user.userid
event.od_enable_user.db_path additional.fields[od_enable_user_db_path]
event.od_enable_user.node_name additional.fields[od_enable_user_node_name]
event.od_enable_user.error_code additional.fields[od_enable_user_error_code]

event_type: od_group_add

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_group_add.
metadata.description A member has been added to a group using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to GROUP_MODIFICATION.
event.od_group_add.instigator.audit_token.euid principal.process.euid
event.od_group_add.instigator.audit_token.ruid principal.process.ruid
event.od_group_add.instigator.audit_token.egid principal.process.egid
event.od_group_add.instigator.audit_token.rgid principal.process.rgid
event.od_group_add.instigator.audit_token.pgid principal.process.pgid
event.od_group_add.instigator.audit_token.pid principal.process.pid
event.od_group_add.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_group_add.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_group_add.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_group_add.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_group_add.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_group_add.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_group_add.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_group_add.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_group_add.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_group_add.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_group_add.instigator.executable.path principal.process.file.full_path
event.od_group_add.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_group_add.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_group_add.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_group_add.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_group_add.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_group_add.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_group_add.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_group_add.instigator.executable.stat.st_size principal.process.file.size
event.od_group_add.instigator.executable.sha256 principal.process.file.sha256
event.od_group_add.instigator.executable.sha1 principal.process.file.sha1
event.od_group_add.instigator.signing_id additional.fields[od_group_add_instigator_signing_id]
event.od_group_add.instigator.team_id additional.fields[od_group_add_instigator_team_id]
event.od_group_add.instigator.ppid additional.fields[od_group_add_instigator_ppid]
event.od_group_add.instigator.codesigning_flags additional.fields[od_group_add_instigator_codesigning_flags]
event.od_group_add.instigator.cdhash additional.fields[od_group_add_instigator_cdhash]
event.od_group_add.instigator.is_platform_binary additional.fields[od_group_add_instigator_is_platform_binary]
event.od_group_add.instigator.is_es_client additional.fields[od_group_add_instigator_is_es_client]
event.od_group_add.instigator.group_id additional.fields[od_group_add_instigator_group_id]
event.od_group_add.instigator.original_ppid additional.fields[od_group_add_instigator_original_pp]
event.od_group_add.instigator.session_id additional.fields[od_group_add_instigator_session_id]
event.od_group_add.group_name target.group.group_display_name
event.od_group_add.member.member_value target.user.user_display_name
event.od_group_add.instigator_token.euid principal.user.userid
event.od_group_add.db_path additional.fields[od_group_add_db_path]
event.od_group_add.node_name additional.fields[od_group_add_node_name]
event.od_group_add.error_code additional.fields[od_group_add_error_code]

event_type: od_group_remove

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_group_remove.
metadata.description A member has been removed from a group using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to GROUP_MODIFICATION.
event.od_group_remove.instigator.audit_token.euid principal.process.euid
event.od_group_remove.instigator.audit_token.ruid principal.process.ruid
event.od_group_remove.instigator.audit_token.egid principal.process.egid
event.od_group_remove.instigator.audit_token.rgid principal.process.rgid
event.od_group_remove.instigator.audit_token.pgid principal.process.pgid
event.od_group_remove.instigator.audit_token.pid principal.process.pid
event.od_group_remove.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_group_remove.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_group_remove.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_group_remove.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_group_remove.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_group_remove.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_group_remove.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_group_remove.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_group_remove.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_group_remove.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_group_remove.instigator.executable.path principal.process.file.full_path
event.od_group_remove.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_group_remove.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_group_remove.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_group_remove.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_group_remove.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_group_remove.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_group_remove.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_group_remove.instigator.executable.stat.st_size principal.process.file.size
event.od_group_remove.instigator.executable.sha256 principal.process.file.sha256
event.od_group_remove.instigator.executable.sha1 principal.process.file.sha1
event.od_group_remove.instigator.signing_id additional.fields[od_group_remove_instigator_signing_id]
event.od_group_remove.instigator.team_id additional.fields[od_group_remove_instigator_team_id]
event.od_group_remove.instigator.ppid additional.fields[od_group_remove_instigator_ppid]
event.od_group_remove.instigator.codesigning_flags additional.fields[od_group_remove_instigator_codesigning_flags]
event.od_group_remove.instigator.cdhash additional.fields[od_group_remove_instigator_cdhash]
event.od_group_remove.instigator.is_platform_binary additional.fields[od_group_remove_instigator_is_platform_binary]
event.od_group_remove.instigator.is_es_client additional.fields[od_group_remove_instigator_is_es_client]
event.od_group_remove.instigator.group_id additional.fields[od_group_remove_instigator_group_id]
event.od_group_remove.instigator.original_ppid additional.fields[od_group_remove_instigator_original_pp]
event.od_group_remove.instigator.session_id additional.fields[od_group_remove_instigator_session_id]
event.od_group_remove.group_name target.group.group_display_name
event.od_group_remove.member.member_value target.user.user_display_name
event.od_group_remove.instigator_token.euid principal.user.userid
event.od_group_remove.db_path additional.fields[od_group_remove_db_path]
event.od_group_remove.node_name additional.fields[od_group_remove_node_name]
event.od_group_remove.error_code additional.fields[od_group_remove_error_code]

event_type: od_group_set

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_group_set.
metadata.description A group has a member initialized or replaced using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to GROUP_MODIFICATION.
event.od_group_set.instigator.audit_token.euid principal.process.euid
event.od_group_set.instigator.audit_token.ruid principal.process.ruid
event.od_group_set.instigator.audit_token.egid principal.process.egid
event.od_group_set.instigator.audit_token.rgid principal.process.rgid
event.od_group_set.instigator.audit_token.pgid principal.process.pgid
event.od_group_set.instigator.audit_token.pid principal.process.pid
event.od_group_set.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_group_set.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_group_set.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_group_set.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_group_set.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_group_set.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_group_set.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_group_set.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_group_set.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_group_set.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_group_set.instigator.executable.path principal.process.file.full_path
event.od_group_set.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_group_set.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_group_set.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_group_set.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_group_set.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_group_set.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_group_set.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_group_set.instigator.executable.stat.st_size principal.process.file.size
event.od_group_set.instigator.executable.sha256 principal.process.file.sha256
event.od_group_set.instigator.executable.sha1 principal.process.file.sha1
event.od_group_set.instigator.signing_id additional.fields[od_group_set_instigator_signing_id]
event.od_group_set.instigator.team_id additional.fields[od_group_set_instigator_team_id]
event.od_group_set.instigator.ppid additional.fields[od_group_set_instigator_ppid]
event.od_group_set.instigator.codesigning_flags additional.fields[od_group_set_instigator_codesigning_flags]
event.od_group_set.instigator.cdhash additional.fields[od_group_set_instigator_cdhash]
event.od_group_set.instigator.is_platform_binary additional.fields[od_group_set_instigator_is_platform_binary]
event.od_group_set.instigator.is_es_client additional.fields[od_group_set_instigator_is_es_client]
event.od_group_set.instigator.group_id additional.fields[od_group_set_instigator_group_id]
event.od_group_set.instigator.original_ppid additional.fields[od_group_set_instigator_original_pp]
event.od_group_set.instigator.session_id additional.fields[od_group_set_instigator_session_id]
event.od_group_set.group_name target.group.group_display_name
event.od_group_set.member.member_array target.user.user_display_name
event.od_group_set.instigator_token.euid principal.user.userid
event.od_group_set.db_path additional.fields[od_group_set_db_path]
event.od_group_set.node_name additional.fields[od_group_set_node_name]
event.od_group_set.error_code additional.fields[od_group_set_error_code]

event_type: od_modify_password

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to od_modify_password.
metadata.description A group has a member initialized or replaced using Open Directory. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_CHANGE_PASSWORD.
event.od_modify_password.instigator.audit_token.euid principal.process.euid
event.od_modify_password.instigator.audit_token.ruid principal.process.ruid
event.od_modify_password.instigator.audit_token.egid principal.process.egid
event.od_modify_password.instigator.audit_token.rgid principal.process.rgid
event.od_modify_password.instigator.audit_token.pgid principal.process.pgid
event.od_modify_password.instigator.audit_token.pid principal.process.pid
event.od_modify_password.instigator.audit_token.uuid principal.process.product_specific_process_id
event.od_modify_password.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.od_modify_password.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.od_modify_password.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.od_modify_password.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.od_modify_password.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.od_modify_password.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.od_modify_password.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.od_modify_password.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.od_modify_password.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.od_modify_password.instigator.executable.path principal.process.file.full_path
event.od_modify_password.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.od_modify_password.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.od_modify_password.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.od_modify_password.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.od_modify_password.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.od_modify_password.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.od_modify_password.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.od_modify_password.instigator.executable.stat.st_size principal.process.file.size
event.od_modify_password.instigator.executable.sha256 principal.process.file.sha256
event.od_modify_password.instigator.executable.sha1 principal.process.file.sha1
event.od_modify_password.instigator.signing_id additional.fields[od_modify_password_instigator_signing_id]
event.od_modify_password.instigator.team_id additional.fields[od_modify_password_instigator_team_id]
event.od_modify_password.instigator.ppid additional.fields[od_modify_password_instigator_ppid]
event.od_modify_password.instigator.codesigning_flags additional.fields[od_modify_password_instigator_codesigning_flags]
event.od_modify_password.instigator.cdhash additional.fields[od_modify_password_instigator_cdhash]
event.od_modify_password.instigator.is_platform_binary additional.fields[od_modify_password_instigator_is_platform_binary]
event.od_modify_password.instigator.is_es_client additional.fields[od_modify_password_instigator_is_es_client]
event.od_modify_password.instigator.group_id additional.fields[od_modify_password_instigator_group_id]
event.od_modify_password.instigator.original_ppid additional.fields[od_modify_password_instigator_original_pp]
event.od_modify_password.instigator.session_id additional.fields[od_modify_password_instigator_session_id]
event.od_modify_password.account_name target.user.user_display_name
event.od_modify_password.instigator_token.euid principal.user.userid
event.od_modify_password.db_path additional.fields[od_modify_password_db_path]
event.od_modify_password.node_name additional.fields[od_modify_password_node_name]
event.od_modify_password.error_code additional.fields[od_modify_password_error_code]

event_type: openssh_login

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to openssh_login.
metadata.description A user has logged into the system via OpenSSH. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
network.application_protocol The network.application_protocol UDM field is set to SSH.
event.openssh_login.source_address src.ip
event.openssh_login.uid target.user.userid
openssh_login.username target.user.user_display_name
extensions.auth.mechanism The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.
event.openssh_login.success security_result.category If the event.openssh_login.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION.

event_type: openssh_logout

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to openssh_logout.
metadata.description A user has logged out of an OpenSSH session. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_LOGOUT.
network.application_protocol The network.application_protocol UDM field is set to SSH.
event.openssh_logout.source_address src.ip
event.openssh_logout.uid target.user.userid
openssh_logout.username target.user.user_display_name
extensions.auth.mechanism The extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

event_type: profile_add

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to openssh_logout.
metadata.description A configuration profile is installed on the system. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to SETTING_CREATION.
target.resource.resource_type The target.resource.resource_type UDM field is set to SETTING.
event.profile_add.instigator.audit_token.euid principal.process.euid
event.profile_add.instigator.audit_token.ruid principal.process.ruid
event.profile_add.instigator.audit_token.egid principal.process.egid
event.profile_add.instigator.audit_token.rgid principal.process.rgid
event.profile_add.instigator.audit_token.pgid principal.process.pgid
event.profile_add.instigator.audit_token.pid principal.process.pid
event.profile_add.instigator.audit_token.uuid principal.process.product_specific_process_id
event.profile_add.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.profile_add.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.profile_add.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.profile_add.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.profile_add.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.profile_add.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.profile_add.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.profile_add.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.profile_add.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.profile_add.instigator.executable.path principal.process.file.full_path
event.profile_add.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.profile_add.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.profile_add.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.profile_add.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.profile_add.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.profile_add.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.profile_add.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.profile_add.instigator.executable.stat.st_size principal.process.file.size
event.profile_add.instigator.executable.sha256 principal.process.file.sha256
event.profile_add.instigator.executable.sha1 principal.process.file.sha1
event.profile_add.instigator.signing_id additional.fields[profile_add_instigator_signing_id]
event.profile_add.instigator.team_id additional.fields[profile_add_instigator_team_id]
event.profile_add.instigator.ppid additional.fields[profile_add_instigator_ppid]
event.profile_add.instigator.codesigning_flags additional.fields[profile_add_instigator_codesigning_flags]
event.profile_add.instigator.cdhash additional.fields[profile_add_instigator_cdhash]
event.profile_add.instigator.is_platform_binary additional.fields[profile_add_instigator_is_platform_binary]
event.profile_add.instigator.is_es_client additional.fields[profile_add_instigator_is_es_client]
event.profile_add.instigator.group_id additional.fields[profile_add_instigator_group_id]
event.profile_add.instigator.original_ppid additional.fields[profile_add_instigator_original_pp]
event.profile_add.instigator.session_id additional.fields[profile_add_instigator_session_id]
event.profile_add.profile.scope target.resource.resource_subtype
event.profile_add.profile.uuid target.resource.product_object_id
event.profile_add.profile.display_name target.resource.name
event.profile_add.is_update additional.fields[profile_add_is_update]
event.profile_add.profile.identifier additional.fields[profile_add_profile_identifier]
event.profile_add.profile.install_source additional.fields[profile_add_profile_install_source]
event.profile_add.profile.organization additional.fields[profile_add_profile_organization]

event_type: profile_remove

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to openssh_logout.
metadata.description A configuration profile is removed from the system. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to SETTING_DELETION.
target.resource.resource_type The target.resource.resource_type UDM field is set to SETTING.
event.profile_remove.instigator.audit_token.euid principal.process.euid
event.profile_remove.instigator.audit_token.ruid principal.process.ruid
event.profile_remove.instigator.audit_token.egid principal.process.egid
event.profile_remove.instigator.audit_token.rgid principal.process.rgid
event.profile_remove.instigator.audit_token.pgid principal.process.pgid
event.profile_remove.instigator.audit_token.pid principal.process.pid
event.profile_remove.instigator.audit_token.uuid principal.process.product_specific_process_id
event.profile_remove.instigator.audit_token.signing_id principal.process.file.signature_info.codesign.id
event.profile_remove.instigator.parent_audit_token.euid principal.process.parent_process.euid
event.profile_remove.instigator.parent_audit_token.ruid principal.process.parent_process.ruid
event.profile_remove.instigator.parent_audit_token.egid principal.process.parent_process.egid
event.profile_remove.instigator.parent_audit_token.rgid principal.process.parent_process.rgid
event.profile_remove.instigator.parent_audit_token.pgid principal.process.parent_process.pgid
event.profile_remove.instigator.parent_audit_token.pid principal.process.parent_process.pid
event.profile_remove.instigator.parent_audit_token.uuid principal.process.parent_process.product_specific_process_id
event.profile_remove.instigator.parent_audit_token.signing_id principal.process.parent_process.file.signature_info.codesign.id
event.profile_remove.instigator.executable.path principal.process.file.full_path
event.profile_remove.instigator.executable.stat.st_dev principal.process.file.stat_dev
event.profile_remove.instigator.executable.stat.st_flags principal.process.file.stat_flags
event.profile_remove.instigator.executable.stat.st_ino principal.process.file.stat_inode
event.profile_remove.instigator.executable.stat.st_mode principal.process.file.stat_mode
event.profile_remove.instigator.executable.stat.st_mtimespec principal.process.file.last_modification_time
event.profile_remove.instigator.executable.stat.st_atimespec principal.process.file.last_access_time
event.profile_remove.instigator.executable.stat.st_nlink principal.process.file.stat_nlink
event.profile_remove.instigator.executable.stat.st_size principal.process.file.size
event.profile_remove.instigator.executable.sha256 principal.process.file.sha256
event.profile_remove.instigator.executable.sha1 principal.process.file.sha1
event.profile_remove.instigator.signing_id additional.fields[profile_remove_instigator_signing_id]
event.profile_remove.instigator.team_id additional.fields[profile_remove_instigator_team_id]
event.profile_remove.instigator.ppid additional.fields[profile_remove_instigator_ppid]
event.profile_remove.instigator.codesigning_flags additional.fields[profile_remove_instigator_codesigning_flags]
event.profile_remove.instigator.cdhash additional.fields[profile_remove_instigator_cdhash]
event.profile_remove.instigator.is_platform_binary additional.fields[profile_remove_instigator_is_platform_binary]
event.profile_remove.instigator.is_es_client additional.fields[profile_remove_instigator_is_es_client]
event.profile_remove.instigator.group_id additional.fields[profile_remove_instigator_group_id]
event.profile_remove.instigator.original_ppid additional.fields[profile_remove_instigator_original_pp]
event.profile_remove.instigator.session_id additional.fields[profile_remove_instigator_session_id]
event.profile_remove.profile.scope target.resource.resource_subtype
event.profile_remove.profile.uuid target.resource.product_object_id
event.profile_remove.profile.display_name target.resource.name
event.profile_remove.is_update additional.fields[profile_remove_is_update]
event.profile_remove.profile.identifier additional.fields[profile_remove_profile_identifier]
event.profile_remove.profile.install_source additional.fields[profile_remove_profile_install_source]
event.profile_remove.profile.organization additional.fields[profile_remove_profile_organization]

event_type: sudo

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to sudo.
metadata.description A sudo attempt occurred. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.sudo.reject_info.plugin_name additional.fields[sudo_reject_info_plugin_name]
event.sudo.reject_info.failure_message additional.fields[sudo_reject_info_failure_message]
event.sudo.reject_info.plugin_type additional.fields[sudo_reject_info_plugin_type]
event.sudo.from_uid principal.user.userid
event.sudo.from_username principal.user.user_display_name
event.sudo.command target.process.command_line
event.sudo.to_uid target.user.userid
event.sudo.to_username target.user.user_display_name
event.sudo.success security_result.category If the event.sudo.success log field value is equal to false then, the security_result.category UDM field is set to AUTH_VIOLATION.

event_type: system_performance

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to system_performance.
metadata.description Event occurs on a regular interval to collect application performance data. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.performance.metrics.hw_model additional.fields[performance_metrics_hw_model]
event.performance.page_info.page additional.fields[performance_page_info_page]
udm.performance.page_info.total additional.fields[performance_page_info_total]
event.performance.metrics.tasks.name additional.fields[task_name]
event.performance.metrics.tasks.energy_impact additional.fields[task_energy_impact]

event_type: unmount

Log field UDM mapping Logic
metadata.product_event_type The metadata.product_event_type UDM field is set to unmount.
metadata.description A file system has been unmounted. value is set to the metadata.description UDM field.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
event.unmount.statfs.f_owner target.user.userid
event.unmount.device.size target.file.size
event.unmount.statfs.f_fstypename target.resource.resource_subtype
event.unmount.statfs.f_mntfromname target.resource.name
event.unmount.device.protocol additional.fields[unmount_device_protocol]
event.unmount.device.serial_number target.asset.hardware.serial_number If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.serial_number log field is mapped to the target.asset.hardware.serial_number UDM field.
event.unmount.device.device_model target.asset.hardware.model If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.device_model log field is mapped to the target.asset.hardware.model UDM field.
event.unmount.device.vendor_name target.asset.hardware.manudacturer If the event.unmount.device.serial_number log field value is not empty or the event.unmount.device.vendor_name log field value is not empty or the event.unmount.device.device_model log field value is not empty then, event.unmount.device.vendor_name log field is mapped to the target.asset.hardware.manufacturer UDM field.

還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。