Se usó la API de Cloud Translation para traducir esta página.

Recopila registros de telemetría de Jamf Protect

Compatible con:

Google SecOps SIEM

En este documento, se describe cómo puedes recopilar registros de telemetría de Jamf Protect configurando un feed de Google Security Operations y cómo los campos de registro se asignan a los campos del Modelo de datos unificado (UDM) de Google Security Operations. En este documento, también se indica la versión compatible de la telemetría de Jamf Protect.

Para obtener más información, consulta Transferencia de datos a Google Security Operations.

Una implementación típica consta de la telemetría de Jamf Protect y el feed de Google Security Operations configurado para enviar registros a Google Security Operations. Cada implementación para el cliente puede ser diferente y más compleja.

La implementación contiene los siguientes componentes:

Telemetría de Jamf Protect Plataforma de telemetría de Jamf Protect desde la que recopilas registros.
Feed de Google Security Operations Es el feed de Google Security Operations que recupera registros de la telemetría de Jamf Protect y los escribe en Google Security Operations.
Google Security Operations. Google Security Operations retiene y analiza los registros de la telemetría de Jamf Protect.

Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar en formato UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de transferencia JAMF_TELEMETRY.

Antes de comenzar

Asegúrate de cumplir con los siguientes requisitos previos:

Configuración de Jamf Protect Telemetry
Jamf Protect, versión 4.0.0 o posterior
Todos los sistemas de la arquitectura de implementación están configurados con la zona horaria UTC.

Configura feeds

Existen dos puntos de entrada diferentes para configurar feeds en la plataforma de Google SecOps:

Configuración de SIEM > Feeds
Centro de contenido > Paquetes de contenido

Configura feeds desde Configuración del SIEM > Feeds

Puedes usar Amazon S3 o un webhook para configurar un feed de transferencia en Google Security Operations, pero te recomendamos que uses Amazon S3.

Configura un feed de transferencia en Google SecOps con Amazon S3

Para configurar varios feeds para diferentes tipos de registros dentro de esta familia de productos, consulta Cómo configurar feeds por producto.

Para configurar un solo feed, sigue estos pasos:

Ve a SIEM Settings > Feeds.
Haz clic en Agregar feed nuevo.
En la siguiente página, haz clic en Configurar un solo feed.
En el campo Nombre del feed, ingresa un nombre para el feed, por ejemplo, Registros de telemetría de Jamf.
Selecciona Amazon S3 como el Tipo de fuente.
Para crear un feed para la telemetría de Jamf Protect, selecciona Jamf Protect Telemetry como el Tipo de registro.
Haz clic en Siguiente.
Guarda el feed y, luego, haz clic en Enviar.
Copia el ID del feed del nombre del feed para usarlo en Jamf Protect Telemetry.

Configura un feed de transferencia en Google SecOps con un webhook

Solo para clientes unificados de Google Security Operations:
Para configurar varios feeds para diferentes tipos de registros dentro de esta familia de productos, consulta Cómo configurar varios feeds.

Para todos los clientes:
Para configurar un solo feed, sigue estos pasos:

Ve a SIEM Settings > Feeds.
Haz clic en Agregar feed nuevo.
En la siguiente página, haz clic en Configurar un solo feed. Omite este paso si usas la plataforma independiente de SIEM de Google SecOps.
En el campo Nombre del feed, ingresa un nombre para el feed, por ejemplo, Registros de telemetría de Jamf.
En la lista Tipo de fuente, selecciona Webhook.
Para crear un feed para la telemetría de Jamf Protect, selecciona Jamf Protect Telemetry como el Tipo de registro.
Haz clic en Siguiente.
Opcional: Especifica valores para los siguientes parámetros de entrada:
- Delimitador de división: Es el delimitador que se usa para separar las líneas de registro, como \n.
- Espacio de nombres del recurso: Es el espacio de nombres del recurso.
- Etiquetas de transferencia: Es la etiqueta que se aplicará a los eventos de este feed.
Haz clic en Siguiente.
Revisa la nueva configuración del feed en la pantalla Finalizar y, luego, haz clic en Enviar.
Haz clic en Generar clave secreta para generar una clave secreta que autentique este feed.
Copia y almacena la clave secreta. No podrás volver a ver esta clave secreta. Si es necesario, puedes regenerar una clave secreta nueva, pero esta acción hace que la clave secreta anterior quede obsoleta.
En la pestaña Detalles, copia la URL del extremo del feed del campo Información del extremo. Necesitarás esta URL HTTPS para configurar tu aplicación cliente de telemetría de Jamf Protect.
Haz clic en Listo.

Configura feeds desde el Centro de contenido

Especifica valores para los siguientes campos:

Región: Es la región en la que se encuentra el bucket de Amazon S3.
URI de S3: Es el URI del bucket.
- s3://your-log-bucket-name/
  - Reemplaza your-log-bucket-name por el nombre real de tu bucket de S3.
El URI es un: Selecciona Directorio o Directorio que incluye subdirectorios, según la estructura de tu bucket.
Opciones de eliminación de la fuente: Selecciona la opción de eliminación según tus preferencias de transferencia.
ID de clave de acceso: Es la clave de acceso del usuario con permisos para leer desde el bucket de S3.
Clave de acceso secreta: Es la clave secreta del usuario con permisos para leer desde el bucket de S3.

Opciones avanzadas

Nombre del feed: Es un valor completado previamente que identifica el feed.
Tipo de fuente: Es el método que se usa para recopilar registros en Google SecOps.
Espacio de nombres del recurso: Espacio de nombres asociado al feed.
Etiquetas de transferencia: Son las etiquetas que se aplican a todos los eventos de este feed.

Crea una clave de API para un feed de webhook

Ve a Google Cloud consola > Credenciales.

Ir a Credenciales
Haz clic en Crear credenciales y selecciona Clave de API.
Restringe el acceso a la clave de API a la API de Google Security Operations.

Cómo configurar la telemetría de Jamf Protect para un feed de webhook

En la aplicación Jamf Protect Telemetry, navega a la configuración de acción relacionada.
Para agregar un extremo de datos nuevo, haz clic en Create Actions.
Selecciona HTTP como el protocolo.
Ingresa la URL HTTPS del extremo de API de Google Security Operations en el campo URL. (Este es el campo Endpoint Information que copiaste de la configuración del feed de webhook. Ya está en el formato requerido.
Para habilitar la autenticación, especifica la clave de API y la clave secreta como parte del encabezado personalizado en el siguiente formato:
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
Recomendación: Especifica la clave de API como un encabezado en lugar de hacerlo en la URL. Si tu cliente de webhook no admite encabezados personalizados, puedes especificar la clave de API y la clave secreta con parámetros de búsqueda en el siguiente formato:
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Reemplaza lo siguiente:
- ENDPOINT_URL: Es la URL del extremo del feed.
- API_KEY: Es la clave de API para autenticarse en Google Security Operations.
- SECRET: Es la clave secreta que generaste para autenticar el feed.
En la sección Collect Logs, selecciona Telemetry.
Haz clic en Enviar.

Para obtener más información sobre los feeds de Google Security Operations, consulta la documentación de los feeds de Google Security Operations. Para obtener información sobre los requisitos de cada tipo de feed, consulta Configuración de feeds por tipo.

Si tienes problemas para crear feeds, comunícate con el equipo de asistencia de Operaciones de seguridad de Google.

Tipos de registros de telemetría de Jamf Protect admitidos

El analizador de telemetría de Jamf Protect admite los siguientes tipos de registros:

Event Type

AUE_add_to_group
AUE_AUDITCTL
AUE_AUDITON_SPOLICY
AUE_AUTH_USER
AUE_BIND
AUE_BIOS_FIRMWARE_VERSIONS
AUE_CHDIR
AUE_CHROOT
AUE_CONNECT
AUE_create_group
AUE_delete_group
AUE_create_user
AUE_delete_user
AUE_EXECVE
AUE_EXIT
AUE_FORK
AUE_GETAUID
AUE_KILL
AUE_LISTEN
AUE_LOGOUT
AUE_LW_LOGIN
AUE_MAC_SET_PROC
AUE_modify_group
AUE_modify_password
AUE_modify_user
AUE_MOUNT
AUE_openssh
AUE_PIDFORTASK
AUE_POSIX_SPAWN
AUE_REMOVE_FROM_GROUP
AUE_SESSION_CLOSE
AUE_SESSION_END
AUE_SESSION_START
AUE_SESSION_UPDATE
AUE_SETPRIORITY
AUE_SETSOCKOPT
AUE_SETTIMEOFDAY
AUE_SHUTDOWN
AUE_SOCKETPAIR
AUE_SSAUTHINT
AUE_SSAUTHMECH
AUE_SSAUTHORIZE
AUE_TASKFORPID
AUE_TASKNAMEFORPID
AUE_UNMOUNT
AUE_WAIT4
PLAINTEXT_LOG_COLLECTION_EVENT
SYSTEM_PERFORMANCE_METRICS

Formatos de registro de telemetría de Jamf Protect admitidos

El analizador de telemetría de Jamf Protect admite registros en formato JSON.

Registros de muestra de telemetría de Jamf Protect admitidos

JSON

{
  "exec_chain": {
    "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E"
  },
  "exec_chain_child": {
    "parent_path": "/sbin/launchd",
    "parent_pid": 1,
    "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02"
  },
  "header": {
    "time_seconds_epoch": 1657906179,
    "time_milliseconds_offset": 848,
    "version": 11,
    "event_modifier": 0,
    "event_id": 45018,
    "event_name": "AUE_add_to_group"
  },
  "host_info": {
    "serial_number": "C03WG0H4HDTS",
    "host_name": "Test_MacBook_Pro",
    "osversion": "Version 12.4 (Build 21F79)",
    "host_uuid": "8891C1E2-0AC0-4E4A-844B-EA491B14D115"
  },
  "identity": {
    "signer_id": "dummy.domain.opendirectoryd",
    "team_id_truncated": false,
    "signer_id_truncated": false,
    "cd_hash": "68d22bdec020f20010bfa9d27cd5f69d78427636",
    "team_id": "",
    "signer_type": 1
  },
  "key": "21E48D3B-4965-4072-81BF-83BE04A329C2",
  "return": {
    "error": 0,
    "description": "success",
    "return_value": 0
  },
  "subject": {
    "session_id": 100003,
    "group_id": 20,
    "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice",
    "parent_pid": 1,
    "effective_user_name": "jamf",
    "user_id": 501,
    "group_name": "staff",
    "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02",
    "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E",
    "effective_group_id": 20,
    "process_hash": "507494616e05a5eb909794354fe69f29e432f2a7",
    "audit_id": 501,
    "responsible_process_id": 1391,
    "parent_path": "/sbin/launchd",
    "process_id": 1701,
    "effective_group_name": "staff",
    "audit_user_name": "jamf",
    "effective_user_id": 501,
    "terminal_id": {
      "type": 4,
      "ip_address": "198.51.100.0",
      "port": 4278
    },
    "responsible_process_name": "/System/Applications/System Preferences.app/Contents/MacOS/System Preferences",
    "user_name": "jamf"
  },
  "texts": [
    "Added Groups membership username to '_lpadmin' node '/Local/Default', value = 'baddie'"
  ]
}

Referencia de la asignación de campos

En esta sección, se explica cómo el analizador de Google Security Operations asigna los campos de telemetría de Jamf Protect a los campos del modelo de datos unificado (UDM) de Google Security Operations.

Referencia de asignación de campos: Del identificador de evento al tipo de evento

En la siguiente tabla, se enumeran los tipos de registros de JAMF_TELEMETRY y sus tipos de eventos de UDM correspondientes.

Event Identifier	Event Type
`AUE_add_to_group`	`GROUP_MODIFICATION`
`AUE_AUDITCTL`	`RESOURCE_READ`
`AUE_AUDITON_SPOLICY`	`RESOURCE_READ`
`AUE_AUTH_USER`	`USER_LOGIN`
`AUE_BIND`	`NETWORK_CONNECTION`
`AUE_BIOS_FIRMWARE_VERSIONS`	`USER_RESOURCE_ACCESS`
`AUE_CHDIR`	`USER_RESOURCE_ACCESS`
`AUE_CHROOT`	`USER_RESOURCE_ACCESS`
`AUE_CONNECT`	`NETWORK_CONNECTION`
`AUE_create_group`	`GROUP_CREATION`
`AUE_delete_group`	`GROUP_DELETION`
`AUE_create_user`	`USER_CREATION`
`AUE_delete_user`	`USER_DELETION`
`AUE_EXECVE`	`PROCESS_LAUNCH`
`AUE_EXIT`	`PROCESS_TERMINATION`
`AUE_FORK`	`PROCESS_LAUNCH`
`AUE_GETAUID`	`SCHEDULED_TASK_CREATION`
`AUE_KILL`	`PROCESS_TERMINATION`
`AUE_LISTEN`	`NETWORK_CONNECTION`
`AUE_LOGOUT`	`USER_LOGOUT`
`AUE_LW_LOGIN`	`USER_LOGIN`
`AUE_MAC_SET_PROC`	`PROCESS_UNCATEGORIZED`
`AUE_modify_group`	`GROUP_MODIFICATION`
`AUE_modify_password`	`USER_CHANGE_PASSWORD`
`AUE_modify_user`	`USER_UNCATEGORIZED`
`AUE_MOUNT`	`RESOURCE_READ`
`AUE_openssh`	`USER_LOGIN`
`AUE_PIDFORTASK`	`PROCESS_LAUNCH`
`AUE_POSIX_SPAWN`	`PROCESS_LAUNCH`
`AUE_REMOVE_FROM_GROUP`	`GROUP_MODIFICATION`
`AUE_SESSION_CLOSE`	`USER_LOGOUT`
`AUE_SESSION_END`	`USER_LOGOUT`
`AUE_SESSION_START`	`USER_LOGIN`
`AUE_SESSION_UPDATE`	`USER_UNCATEGORIZED`
`AUE_SETPRIORITY`	`SETTING_MODIFICATION`
`AUE_SETSOCKOPT`	`NETWORK_CONNECTION`
`AUE_SETTIMEOFDAY`	`SETTING_MODIFICATION`
`AUE_SHUTDOWN`	`STATUS_SHUTDOWN`
`AUE_SOCKETPAIR`	`NETWORK_CONNECTION`
`AUE_SSAUTHINT`	`USER_LOGIN`
`AUE_SSAUTHMECH`	`USER_LOGIN`
`AUE_SSAUTHORIZE`	`USER_LOGIN`
`AUE_TASKFORPID`	`PROCESS_INJECTION`
`AUE_TASKNAMEFORPID`	`PROCESS_INJECTION`
`AUE_UNMOUNT`	`RESOURCE_READ`
`AUE_WAIT4`	`PROCESS_UNCATEGORIZED`
`PLAINTEXT_LOG_COLLECTION_EVENT`	`GENERIC_EVENT`

`SYSTEM_PERFORMANCE_METRICS`	`GENERIC_EVENT`

Referencia de asignación de campos: JAMF_TELEMETRY

En la siguiente tabla, se enumeran los campos de registro del tipo de registro JAMF_TELEMETRY y sus campos de UDM correspondientes.

Log field	UDM mapping	Logic
	`metadata.event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `JAMF_TELEMETRY`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `JAMF`.
`header.time_seconds_epoch`	`metadata.event_timestamp`
`header.time_milliseconds_offset`	`about.labels[time_milliseconds_offset]` (deprecated)
`header.time_milliseconds_offset`	`additional.fields[time_milliseconds_offset]`
`header.version`	`about.labels[header_version]` (deprecated)
`header.version`	`additional.fields[header_version]`
`header.event_modifier`	`about.labels[event_modifier]` (deprecated)
`header.event_modifier`	`additional.fields[event_modifier]`
`header.event_uuid`	`metadata.product_log_id`
`header.event_name,header.event_id`	`metadata.product_event_type`	If the `header.event_name` and `header.event_id` log field values are not empty, then the `header.event_name-header.event_id` log fields are mapped to the `metadata.product_event_type` UDM field. Else, if the `header.event_name` log field value is not empty, then the `header.event_name` log field is mapped to the `metadata.product_event_type` UDM field. Else, if the `header.event_id` log field value is not empty, then the `header.event_id` log field is mapped to the `metadata.product_event_type` UDM field.
`exec_chain.thread_uuid`	`principal.labels[exec_chain_thread_uuid]` (deprecated)
`exec_chain.thread_uuid`	`additional.fields[exec_chain_thread_uuid]`
`exec_chain.uuid`	`principal.labels[exec_chain_uuid]` (deprecated)
`exec_chain.uuid`	`additional.fields[exec_chain_uuid]`
`exec_chain_child.parent_path`	`principal.process.parent_process.file.full_path`
`exec_chain_child.parent_pid`	`principal.process.parent_process.pid`
`exec_chain_child.parent_uuidsubject.parent` (deprecated)	`principal.labels[exec_chain_child_parent_uuid]`
`exec_chain_child.parent_uuid`	`additional.fields[exec_chain_child_parent_uuid]`
`host_info.serial_number`	`principal.asset.hardware.serial_number`
`host_info.host_name`	`principal.hostname`
`host_info.osversion`	`principal.asset.software.version`
`host_info.host_uuid`	`principal.asset.product_object_id`
`host_info.primary_mac_address`	`principal.asset.mac`
`identity.signer_id`	`principal.labels[identity_signer_id]` (deprecated)
`identity.signer_id`	`additional.fields[identity_signer_id]`
`identity.team_id_truncated`	`principal.labels[identity_team_id_truncated]` (deprecated)
`identity.team_id_truncated`	`additional.fields[identity_team_id_truncated]`
`identity.signer_id_truncated`	`principal.labels[identity_signer_id_truncated]` (deprecated)
`identity.signer_id_truncated`	`additional.fields[identity_signer_id_truncated]`
`identity.cd_hash`	`principal.labels[identity_cd_hash]` (deprecated)
`identity.cd_hash`	`additional.fields[identity_cd_hash]`
`identity.team_id`	`principal.labels[team_id]` (deprecated)
`identity.team_id`	`additional.fields[team_id]`
`identity.signer_type`	`principal.labels[signer_type]` (deprecated)
`identity.signer_type`	`additional.fields[signer_type]`
`key`	`about.labels[key]` (deprecated)
`key`	`additional.fields[key]`
`return.error,return.description`	`security_result.description`	If the `return.error` and `return.description` log field values are not empty, then the `return.error-return.description` log fields are mapped to the `security_result.description` UDM field. Else, if the `return.error` log field value is not empty, then the `return.error` log field is mapped to the `security_result.description` UDM field. Else, if the `return.description` log field value is not empty, then the `return.description` log field is mapped to the `security_result.description` UDM field.
`return.return_value`	`security_result.detection_fields`
`subject.session_id`	`network.session_id`
`subject.group_id`	`principal.user.group_identifiers`	If the `header.event_name` log field value contains one of the following values, then the `subject.group_id` log field is mapped to the `target.user.group_identifiers` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.group_id` log field is mapped to the `principal.user.group_identifiers` UDM field.
`subject.effective_group_id`	`target.user.group_identifiers`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_group_id` log field is mapped to the `target.user.group_identifiers` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.group_name`	`principal.group.group_display_name`	If the `header.event_name` log field value contains one of the following values, then the `subject.group_name` log field is mapped to the `target.group.group_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.group_name` log field is mapped to the `principal.group.group_display_name` UDM field.
`subject.effective_group_name`	`target.group.group_display_name`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_group_name` log field is mapped to the `target.group.group_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.user_name`	`principal.user.user_display_name`	If the `header.event_name` log field value contains one of the following values, then the `subject.user_name` log field is mapped to the `target.user.user_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.user_name` log field is mapped to the `principal.user.user_display_name` UDM field.
`subject.effective_user_name`	`target.user.user_display_name`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_user_name` log field is mapped to the `target.user.user_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.user_id`	`principal.user.userid`	If the `header.event_name` log field value contains one of the following values, then the `subject.user_id` log field is mapped to the `target.user.userid` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.user_id` log field is mapped to the `principal.user.userid` UDM field.
`subject.effective_user_id`	`target.user.userid`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_user_id` log field is mapped to the `target.user.userid` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.audit_id`	`principal.labels[audit_id]` (deprecated)
`subject.audit_id`	`additional.fields[audit_id]`
`subject.responsible_process_id,metrics.tasks.pid`	`principal.process.pid`	If the `header.event_name` log field value is equal to `SYSTEM_PERFORMANCE_METRICS`, then the `metrics.tasks.pid` log field is mapped to the `principal.process.pid` UDM field. Else, the `subject.responsible_process_id` log field is mapped to the `principal.process.pid` UDM field.
`subject.process_id`	`principal.process_ancestors.pid`	If the `subject.responsible_process_id` log field value is not empty, then the `subject.process_id` log field is mapped to the `principal.process_ancestors.pid` UDM field. Else, the `subject.process_id` log field is mapped to the `principal.process.pid` UDM field.
`subject.audit_user_name`	`principal.labels[audit_user_name]` (deprecated)
`subject.audit_user_name`	`additional.fields[audit_user_name]`
`subject.process_name`	`principal.process_ancestors.file.full_path`	If the `subject.responsible_process_name` log field value is not empty, then the `subject.process_name` log field is mapped to the `principal.process_ancestors.file.full_path` UDM field. Else, the `subject.process_name` log field is mapped to the `principal.process.file.full_path` UDM field.
`subject.responsible_process_name`	`principal.process.file.full_path`
`subject.process_hash`	`principal.process.file.sha1`
`subject.terminal_id.type`	`principal.labels[type]` (deprecated)	If the `subject.terminal_id.type` log field value is equal to `4`, then the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `principal.labels.value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `principal.labels.value` UDM field is set to `6-IPv6`. Else, the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `subject.terminal_id.type` log field is mapped to the `principal.labels.value` UDM field.
`subject.terminal_id.type`	`additional.fields[type]`	If the `subject.terminal_id.type` log field value is equal to `4`, then the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `6-IPv6`. Else, the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `subject.terminal_id.type` log field is mapped to the `additional.fields.value.string_value` UDM field.
`subject.terminal_id.ip_address`	`principal.ip`
`subject.terminal_id.port`	`principal.port`
`texts`	`metadata.description`	If the `index` value is equal to `0`, then the `texts` log field is mapped to the `metadata.description` UDM field. Else, the `texts` log field is mapped to the `about.labels.value` UDM field.
`attributes.device`	`principal.asset.attribute.labels[device]`
`attributes.owner_group_name`	`about.group.group_display_name`
`attributes.owner_group_id`	`about.user.group_identifiers`
`attributes.owner_user_id`	`about.user.userid`
`attributes.owner_user_name`	`about.user.user_display_name`
`attributes.file_system_id`	`principal.labels[attributes_file_system_id]` (deprecated)
`attributes.file_system_id`	`additional.fields[attributes_file_system_id]`
`attributes.file_access_mode`	`principal.labels[attributes_file_access_mode]` (deprecated)
`attributes.file_access_mode`	`additional.fields[attributes_file_access_mode]`
`attributes.node_id`	`principal.asset.asset_id`
`path`	`about.labels[path]`
`arguments.cmd`	`principal.labels[arguments_cmd]` (deprecated)
`arguments.cmd`	`additional.fields[arguments_cmd]`
`arguments.policy`	`principal.labels[arguments_policy]` (deprecated)
`arguments.policy`	`additional.fields[arguments_policy]`
`arguments.length`	`principal.labels[arguments_length]` (deprecated)
`arguments.length`	`additional.fields[arguments_length]`
`_event_score`	`security_result.severity_details`
`architecture`	`principal.asset.hardware.cpu_model`
`arguments.addr`	`principal.labels[arguments_addr]` (deprecated)
`arguments.addr`	`additional.fields[arguments_addr]`
`arguments.am_failure`	`principal.labels[arguments_am_failure]` (deprecated)
`arguments.am_failure`	`additional.fields[arguments_am_failure]`
`arguments.am_success`	`principal.labels[arguments_am_success]` (deprecated)
`arguments.am_success`	`additional.fields[arguments_am_success]`
`arguments.authenticated_as_test`	`principal.labels[arguments_authenticated_as_test]` (deprecated)
`arguments.authenticated_as_test`	`additional.fields[arguments_authenticated_as_test]`
`arguments.child_PID`	`principal.labels[arguments_child_PID]` (deprecated)
`arguments.child_PID`	`additional.fields[arguments_child_PID]`
`arguments.data`	`principal.labels[arguments_data]` (deprecated)
`arguments.data`	`additional.fields[arguments_data]`
`arguments.domain`	`principal.labels[arguments_domain]` (deprecated)
`arguments.domain`	`additional.fields[arguments_domain]`
`arguments.fd`	`principal.labels[arguments_fd]` (deprecated)
`arguments.fd`	`additional.fields[arguments_fd]`
`arguments.flags`	`principal.labels[arguments_flags]` (deprecated)
`arguments.flags`	`additional.fields[arguments_flags]`
`arguments.authenticated_as_allen.golbig`	`principal.labels[authenticated_as_allen_golbig]` (deprecated)
`arguments.authenticated_as_allen.golbig`	`additional.fields[authenticated_as_allen_golbig]`
`arguments.known_UID_`	`principal.labels[argument_known_uid]` (deprecated)
`arguments.known_UID_`	`additional.fields[argument_known_uid]`
`arguments.pid`	`principal.labels[arguments_pid]` (deprecated)
`arguments.pid`	`additional.fields[arguments_pid]`
`arguments.port`	`principal.labels[arguments_port]` (deprecated)
`arguments.port`	`additional.fields[arguments_port]`
`arguments.priority`	`security_result.priority_details`
`arguments.process`	`principal.labels[argument_process]` (deprecated)
`arguments.process`	`additional.fields[argument_process]`
`arguments.protocol`	`principal.labels[argument_protocol]` (deprecated)
`arguments.protocol`	`additional.fields[argument_protocol]`
`arguments.request`	`principal.labels[argument_request]` (deprecated)
`arguments.request`	`additional.fields[argument_request]`
`arguments.sflags`	`principal.labels[arguments_sflags]` (deprecated)
`arguments.sflags`	`additional.fields[arguments_sflags]`
`arguments.signal`	`principal.labels[argument_signal]` (deprecated)
`arguments.signal`	`additional.fields[argument_signal]`
`arguments.target_port,process.terminal_id.port,socket_inet.port`	`target.port`	If the `header.event_name` log field value is equal to `AUE_KILL` or `AUE_TASKFORPID`, then the `process.port` log field is mapped to the `target.port` UDM field. Else, if the `header.event_name` log field value is equal to `AUE_BIND` or `AUE_CONNECT`, then the `socket_inet.port` log field is mapped to the `target.port` UDM field. Else, the `agument.target_port` log field is mapped to the `target.port` UDM field.
`arguments.task_port`	`principal.labels[task_port]` (deprecated)
`arguments.task_port`	`additional.fields[task_port]`
`arguments.type`	`principal.labels[argument_type]` (deprecated)
`arguments.type`	`additional.fields[argument_type]`
`arguments.which`	`principal.labels[which]` (deprecated)
`arguments.which`	`additional.fields[which]`
`arguments.who`	`principal.labels[who]` (deprecated)
`arguments.who`	`additional.fields[who]`
`bios_firmware_versions.booter-version`	`principal.asset.attribute.labels[booter_version]`
`bios_firmware_versions.firmware-features`	`principal.asset.attribute.labels[firmware_features]`
`bios_firmware_versions.firmware-version`	`principal.asset.attribute.labels[firmware_version]`
`bios_firmware_versions.release-date`	`principal.asset.attribute.labels[release_date]`
`bios_firmware_versions.rom-size`	`principal.asset.attribute.labels[rom_size]`
`bios_firmware_versions.system-firmware-version`	`principal.asset.attribute.labels[system_firmware_version]`
`bios_firmware_versions.vendor`	`principal.asset.attribute.labels[vendor]`
`bios_firmware_versions.version`	`principal.asset.attribute.labels[version]`
`exec_args.args_compiled`	`principal.process.command_line`
`exec_chain_parent.uuid`	`principal.labels[parent_uuid]` (deprecated)
`exec_chain_parent.uuid`	`additional.fields[parent_uuid]`
`exec_env.env_compiled`	`about.labels[env_compiled]` (deprecated)
`exec_env.env_compiled`	`additional.fields[env_compiled]`
`exec_env.env.PATH`	`about.labels[env_path]` (deprecated)
`exec_env.env.PATH`	`additional.fields[env_path]`
`exit.return_value`	`principal.labels[return_value]` (deprecated)
`exit.return_value`	`additional.fields[return_value]`
`exit.status`	`principal.labels[exit_status]` (deprecated)
`exit.status`	`additional.fields[exit_status]`
`process.audit_id`	`about.labels[process_audit_id]` (deprecated)
`process.audit_id`	`additional.fields[process_audit_id]`
`process.audit_user_name`	`about.labels[audit_user_name]` (deprecated)
`process.audit_user_name`	`additional.fields[audit_user_name]`
`process.group_idprocess.effective_group_id`	`about.user.group_identifiers`
`process.group_name`	`about.group.group_display_name`
`process.process_hash`	`target.process.file.sha1`
`process.process_id`	`target.process.pid`
`process.process_name`	`target.process.file.full_path`
`process.session_id`	`target.labels[process_session_id]` (deprecated)
`process.session_id`	`additional.fields[process_session_id]`
`process.terminal_id.addr`	`target.labels[addr]`
`process.terminal_id.ip_address`	`target.ip`
`process.terminal_id.type`	`target.labels[process_terminal_id_type]` (deprecated)	If the `process.terminal_id.type` log field value is equal to `4`, then the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `target.labels.value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `target.labels.value` UDM field is set to `6-IPv6`. Else, the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `process.terminal_id.type` log field is mapped to the `target.labels.value` UDM field.
`process.terminal_id.type`	`additional.fields[process_terminal_id_type]`	If the `process.terminal_id.type` log field value is equal to `4`, then the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `6-IPv6`. Else, the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `process.terminal_id.type` log field is mapped to the `additional.fields.value.string_value` UDM field.
`process.user_id`	`about.user.userid`
`process.user_name`	`about.user.user_display_name`
`rateLimitingSeconds`	`about.labels[rate_limiting_seconds]` (deprecated)
`rateLimitingSeconds`	`additional.fields[rate_limiting_seconds]`
`socket_inet.family`	`target.labels[socket_inet_family]` (deprecated)
`socket_inet.family`	`additional.fields[socket_inet_family]`
`socket_inet.id`	`target.labels[socket_inet_id]` (deprecated)	If the `socket_inet.id` log field value is equal to `128`, then the `target.labels.key` UDM field is set to `socket_inet_id` and the `target.labels.value` UDM field is set to `128-IPv4`. Else, if the `socket_inet.id` log field value is equal to `129`, then the `target.labels.key` UDM field is set to `socket_inet_id` and the `target.labels.value` UDM field is set to `129-IPv6`. Else, the `target.labels.key` UDM field is set to `socket_inet_id` and the `socket_inet.ip` log field is mapped to the `target.labels.value` UDM field.
`socket_inet.id`	`additional.fields[socket_inet_id]`	If the `socket_inet.id` log field value is equal to `128`, then the `additional.fields.key` UDM field is set to `socket_inet_id` and the `additional.fields.value.string_value` UDM field is set to `128-IPv4`. Else, if the `socket_inet.id` log field value is equal to `129`, then the `additional.fields.key` UDM field is set to `socket_inet_id` and the `additional.fields.value.string_value` UDM field is set to `129-IPv6`. Else, the `additional.fields.key` UDM field is set to `socket_inet_id` and the `socket_inet.ip` log field is mapped to the `additional.fields.value.string_value` UDM field.
`socket_inet.ip_address`	`target.ip`
`socket_unix.family`	`target.labels[socket_unix_family]` (deprecated)
`socket_unix.family`	`additional.fields[socket_unix_family]`
`socket_unix.path`	`target.file.full_path`
`subject.terminal_id.addr`	`target.labels[addr]`
`metrics.hw_model`	`principal.asset.hardware.model`
`metrics.tasks.bytes_received`	`network.received_bytes`	If the `index` value is equal to `0`, then the `metrics.tasks.bytes_received` log field is mapped to the `network.received_bytes` UDM field. Else, the `metrics.tasks.bytes_received` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.bytes_received_per_s`	`principal.asset.attribute.labels[bytes_received_per_s]`
`metrics.tasks.bytes_sent`	`network.sent_bytes`	If the `index` value is equal to `0`, then the `metrics.tasks.bytes_sent` log field is mapped to the `network.sent_bytes` UDM field. Else, the `metrics.tasks.bytes_sent` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.bytes_sent_per_s`	`principal.asset.attribute.labels[bytes_sent_per_s]`
`metrics.tasks.cputime_ms_per_s`	`principal.asset.attribute.labels[cputime_ms_per_s]`
`metrics.tasks.cputime_ns`	`principal.asset.attribute.labels[cputime_ns]`
`metrics.tasks.cputime_sample_ms_per_s`	`principal.asset.attribute.labels[cputime_sample_ms_per_s]`
`metrics.tasks.cputime_userland_ratio`	`principal.asset.attribute.labels[cputime_userland_ratio]`
`metrics.tasks.diskio_bytesread`	`principal.asset.attribute.labels[diskio_bytesread]`
`metrics.tasks.diskio_bytesread_per_s`	`principal.asset.attribute.labels[diskio_bytesread_per_s]`
`metrics.tasks.diskio_byteswritten`	`principal.asset.attribute.labels[diskio_byteswritten]`
`metrics.tasks.diskio_byteswritten_per_s`	`principal.asset.attribute.labels[diskio_byteswritten_per_s]`
`metrics.tasks.energy_impact`	`principal.asset.attribute.labels[energy_impact]`
`metrics.tasks.energy_impact_per_s`	`principal.asset.attribute.labels[energy_impact_per_s]`
`metrics.tasks.idle_wakeups`	`principal.asset.attribute.labels[idle_wakeups]`
`metrics.tasks.interval_ns`	`principal.asset.attribute.labels[interval_ns]`
`metrics.tasks.intr_wakeups_per_s`	`principal.asset.attribute.labels[intr_wakeups_per_s]`
`metrics.tasks.name`	`principal.asset.attribute.labels[name]`
`metrics.tasks.packets_received`	`network.received_packets`	If the `index` value is equal to `0`, then the `metrics.tasks.packets_received` log field is mapped to the `network.received_packets` UDM field. Else, the `metrics.tasks.packets_received` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.packets_received_per_s`	`principal.asset.attribute.labels[packets_received_per_s]`
`metrics.tasks.packets_sent`	`network.sent_packets`	If the `index` value is equal to `0`, then the `metrics.tasks.packets_sent` log field is mapped to the `network.sent_packets` UDM field. Else, the `metrics.tasks.packets_sent` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.packets_sent_per_s`	`principal.asset.attribute.labels[packets_sent_per_s]`
`metrics.tasks.pageins`	`principal.asset.attribute.labels[pageins]`
`metrics.tasks.pageins_per_s`	`principal.asset.attribute.labels[pageins_per_s]`
`metrics.tasks.qos_background_ms_per_s`	`principal.asset.attribute.labels[qos_background_ms_per_s]`
`metrics.tasks.qos_background_ns`	`principal.asset.attribute.labels[qos_background_ns]`
`metrics.tasks.qos_default_ms_per_s`	`principal.asset.attribute.labels[qos_default_ms_per_s]`
`metrics.tasks.qos_default_ns`	`principal.asset.attribute.labels[qos_default_ns]`
`metrics.tasks.qos_disabled_ms_per_s`	`principal.asset.attribute.labels[qos_disabled_ms_per_s]`
`metrics.tasks.qos_disabled_ns`	`principal.asset.attribute.labels[qos_disabled_ns]`
`metrics.tasks.qos_maintenance_ms_per_s`	`principal.asset.attribute.labels[qos_maintenance_ms_per_s]`
`metrics.tasks.qos_maintenance_ns`	`principal.asset.attribute.labels[qos_maintenance_ns]`
`metrics.tasks.qos_user_initiated_ms_per_s`	`principal.asset.attribute.labels[qos_user_initiated_ms_per_s]`
`metrics.tasks.qos_user_initiated_ns`	`principal.asset.attribute.labels[qos_user_initiated_ns]`
`metrics.tasks.qos_user_interactive_ms_per_s`	`principal.asset.attribute.labels[qos_user_interactive_ms_per_s]`
`metrics.tasks.qos_user_interactive_ns`	`principal.asset.attribute.labels[qos_user_interactive_ns]`
`metrics.tasks.qos_utility_ms_per_s`	`principal.asset.attribute.labels[qos_utility_ms_per_s]`
`metrics.tasks.qos_utility_ns`	`principal.asset.attribute.labels[qos_utility_ns]`
`metrics.tasks.started_abstime_ns`	`principal.asset.attribute.labels[started_abstime_ns]`
`metrics.tasks.timer_wakeups.wakeups`	`principal.asset.attribute.labels[timer_wakeups]`
`page_info.page`	`about.labels[page_info_page]` (deprecated)
`page_info.page`	`additional.fields[page_info_page]`
`page_info.total`	`about.labels[page_info_total]` (deprecated)
`page_info.total`	`additional.fields[page_info_total]`
`exec_env.env._`	`about.labels[env]` (deprecated)
`exec_env.env._`	`additional.fields[env]`
`exec_env.env.__CF_USER_TEXT_ENCODING`	`about.labels[env__CF_USER_TEXT_ENCODING]` (deprecated)
`exec_env.env.__CF_USER_TEXT_ENCODING`	`additional.fields[env__CF_USER_TEXT_ENCODING]`
`exec_env.env.__CFBundleIdentifier`	`about.labels[env__CFBundleIdentifier]` (deprecated)
`exec_env.env.__CFBundleIdentifier`	`additional.fields[env__CFBundleIdentifier]`
`exec_env.env.ASDF_DIR`	`about.labels[env_ASDF_DIR]` (deprecated)
`exec_env.env.ASDF_DIR`	`additional.fields[env_ASDF_DIR]`
`exec_env.env.HOME`	`about.labels[env_HOME]` (deprecated)
`exec_env.env.HOME`	`additional.fields[env_HOME]`
`exec_env.env.LANG`	`about.labels[env_LANG]` (deprecated)
`exec_env.env.LANG`	`additional.fields[env_LANG]`
`exec_env.env.LC_TERMINAL`	`about.labels[env_LC_TERMINAL]` (deprecated)
`exec_env.env.LC_TERMINAL`	`additional.fields[env_LC_TERMINAL]`
`exec_env.env.LC_TERMINAL_VERSION`	`about.labels[env_LC_TERMINAL_VERSION]` (deprecated)
`exec_env.env.LC_TERMINAL_VERSION`	`additional.fields[env_LC_TERMINAL_VERSION]`
`exec_env.env.MAIL`	`about.labels[env_MAIL]` (deprecated)
`exec_env.env.MAIL`	`additional.fields[env_MAIL]`
`exec_env.env.MallocSpaceEfficient`	`about.labels[env_MallocSpaceEfficient]` (deprecated)
`exec_env.env.MallocSpaceEfficient`	`additional.fields[env_MallocSpaceEfficient]`
`exec_env.env.OLDPWD`	`about.labels[env_OLDPWD]` (deprecated)
`exec_env.env.OLDPWD`	`additional.fields[env_OLDPWD]`
`exec_env.env.PWD`	`about.file.full_path`
`exec_env.env.SHELL`	`about.labels[env_SHELL]` (deprecated)
`exec_env.env.SHELL`	`additional.fields[env_SHELL]`
`exec_env.env.SHLVL`	`about.labels[env_SHLVL]` (deprecated)
`exec_env.env.SHLVL`	`additional.fields[env_SHLVL]`
`exec_env.env.SSH_AUTH_SOCK`	`about.labels[env_SSH_AUTH_SOCK]` (deprecated)
`exec_env.env.SSH_AUTH_SOCK`	`additional.fields[env_SSH_AUTH_SOCK]`
`exec_env.env.SSH_CLIENT`	`about.labels[env_SSH_CLIENT]` (deprecated)
`exec_env.env.SSH_CLIENT`	`additional.fields[env_SSH_CLIENT]`
`exec_env.env.SSH_CONNECTION`	`about.labels[env_SSH_CONNECTION]` (deprecated)
`exec_env.env.SSH_CONNECTION`	`additional.fields[env_SSH_CONNECTION]`
`exec_env.env.SSH_TTY`	`about.labels[env_SSH_TTY]` (deprecated)
`exec_env.env.SSH_TTY`	`additional.fields[env_SSH_TTY]`
`exec_env.env.SUDO_COMMAND`	`about.labels[env_SUDO_COMMAND]` (deprecated)
`exec_env.env.SUDO_COMMAND`	`additional.fields[env_SUDO_COMMAND]`
`exec_env.env.SUDO_GID`	`about.user.group_identifiers`
`exec_env.env.SUDO_UID`	`about.user.userid`
`exec_env.env.SUDO_USER`	`about.user.user_display_name`
`exec_env.env.TERM`	`about.labels[env_TERM]` (deprecated)
`exec_env.env.TERM`	`additional.fields[env_TERM]`
`exec_env.env.LOGNAME`	`about.labels[env_LOGNAME]` (deprecated)
`exec_env.env.LOGNAME`	`additional.fields[env_LOGNAME]`
`exec_env.env.USER`	`about.labels[env_USER]` (deprecated)
`exec_env.env.USER`	`additional.fields[env_USER]`
`exec_env.env.TERM_PROGRAM`	`about.labels[env_TERM_PROGRAM]` (deprecated)
`exec_env.env.TERM_PROGRAM`	`additional.fields[env_TERM_PROGRAM]`
`exec_env.env.TERM_PROGRAM_VERSION`	`about.labels[env_TERM_PROGRAM_VERSION]` (deprecated)
`exec_env.env.TERM_PROGRAM_VERSION`	`additional.fields[env_TERM_PROGRAM_VERSION]`
`exec_env.env.TERM_SESSION_ID`	`about.labels[env_TERM_SESSION_ID]` (deprecated)
`exec_env.env.TERM_SESSION_ID`	`additional.fields[env_TERM_SESSION_ID]`
`exec_env.env.TMPDIR`	`about.labels[env_TMPDIR]` (deprecated)
`exec_env.env.TMPDIR`	`additional.fields[env_TMPDIR]`
`exec_env.env.XPC_FLAGS`	`about.labels[env_XPC_FLAGS]` (deprecated)
`exec_env.env.XPC_FLAGS`	`additional.fields[env_XPC_FLAGS]`
`exec_env.env.XPC_SERVICE_NAME`	`about.labels[env_XPC_SERVICE_NAME]` (deprecated)
`exec_env.env.XPC_SERVICE_NAME`	`additional.fields[env_XPC_SERVICE_NAME]`
	`target.resource.resource_type`	If the `header.event_name` log field value is equal to `AUE_GETAUID`, then the `target.resource.resource_type` UDM field is set to `TASK`. Else, if the `header.event_name` log field value is equal to `AUE_SETPRIORITY or AUE_SETTIMEOFDAY`, then the `target.resource.resource_type` UDM field is set to `SETTING`.
	`extensions.auth.mechanism`	If the `header.event_name` log field value contains one of the following values, then the `mechanism` UDM field is set to `USERNAME_PASSWORD`: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`

¿Qué sigue?

Transferencia de datos a Google Security Operations

¿Necesitas más ayuda? Obtén respuestas de miembros de la comunidad y profesionales de Google SecOps.