Esta página se ha traducido con Cloud Translation API.

Recopilar registros de telemetría de Jamf Protect

Disponible en:

SecOps de Google SIEM

En este documento se describe cómo puede recoger registros de telemetría de Jamf Protect configurando un feed de Google Security Operations y cómo se asignan los campos de registro a los campos del modelo de datos unificado (UDM) de Google Security Operations. En este documento también se indica la versión de telemetría de Jamf Protect compatible.

Para obtener más información, consulta Ingestión de datos en Google Security Operations.

Una implementación típica consta de la telemetría de Jamf Protect y el feed de Google Security Operations configurado para enviar registros a Google Security Operations. Cada implementación de cliente puede ser diferente y más compleja.

La implementación contiene los siguientes componentes:

Telemetría de Jamf Protect. La plataforma de telemetría de Jamf Protect desde la que recoges los registros.
Feed de Google Security Operations. El feed de Google Security Operations que obtiene registros de la telemetría de Jamf Protect y escribe registros en Google Security Operations.
Google Security Operations. Google Security Operations conserva y analiza los registros de la telemetría de Jamf Protect.

Una etiqueta de ingestión identifica el analizador que normaliza los datos de registro sin procesar en formato UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de ingestión JAMF_TELEMETRY.

Antes de empezar

Asegúrate de que cumples los siguientes requisitos previos:

Una configuración de telemetría de Jamf Protect
Jamf Protect 4.0.0 o una versión posterior
Todos los sistemas de la arquitectura de implementación están configurados con la zona horaria UTC.

Configurar feeds desde Configuración de SIEM > Feeds

Puedes usar Amazon S3 V2 o un webhook para configurar un feed de ingestión en Google Security Operations.

Configurar un feed de ingestión en Google SecOps con Amazon S3 V2

Ve a Configuración de SIEM > Feeds.
Haz clic en Añadir feed.
Haga clic en el paquete de feeds JAMF.
Busca el tipo de registro Telemetría de Jamf Protect.
Selecciona Amazon S3 V2 como Tipo de fuente.
Especifique los valores de los siguientes campos:
- URI de S3: el URI del segmento.
  - s3://your-log-bucket-name/
    - Sustituye your-log-bucket-name por el nombre real de tu segmento de S3.
- Opciones de eliminación de la fuente: selecciona la opción de eliminación que prefieras según tus preferencias de ingesta.
- ID de clave de acceso: clave de acceso del usuario con permisos para leer del segmento de S3.
- Antigüedad máxima del archivo: incluye los archivos modificados en los últimos días. El valor predeterminado es 180 días.
- Clave de acceso secreta: clave secreta del usuario con permisos para leer del segmento de S3.
Opciones avanzadas
- Nombre del feed: un valor rellenado automáticamente que identifica el feed.
- Espacio de nombres de recursos: espacio de nombres asociado al feed.
- Etiquetas de ingestión: etiquetas aplicadas a todos los eventos de este feed.
Haga clic en Crear feed.

Configurar un feed de ingesta en Google SecOps mediante un webhook

Ve a Configuración de SIEM > Feeds.
Haz clic en Añadir feed.
Haga clic en el paquete de feeds JAMF.
Busca el tipo de registro Telemetría de Jamf Protect.
En la lista Tipo de fuente, selecciona Webhook.
Especifique los valores de los siguientes campos:
- Delimitador de división: el delimitador que se usa para separar las líneas de registro, como \n.
- Espacio de nombres de recursos: el espacio de nombres de recursos.
- Etiquetas de ingestión: etiqueta que se aplicará a los eventos de este feed.
Haga clic en Crear feed.

Para configurar varios feeds de distintos tipos de registro en esta familia de productos, consulte Configurar feeds por producto.

Crear una clave de API para un feed de webhook

Ve a la Google Cloud consola > Credenciales.

Ir a Credenciales
Haz clic en Crear credenciales y, a continuación, selecciona Clave de API.
Restringe el acceso de la clave de API a la API Google Security Operations.

Configurar la telemetría de Jamf Protect para un feed de webhook

En la aplicación Telemetría de Jamf Protect, vaya a la configuración de la acción relacionada.
Para añadir un nuevo endpoint de datos, haga clic en Crear acciones.
Selecciona HTTP como protocolo.
Introduce la URL HTTPS del endpoint de la API de Google Security Operations en el campo URL. Este es el campo Información del endpoint que has copiado de la configuración del feed de webhook. Ya tiene el formato necesario.
Para habilitar la autenticación, especifica la clave de API y la clave secreta como parte del encabezado personalizado con el siguiente formato:
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
Recomendación: Especifica la clave de API como encabezado en lugar de hacerlo en la URL. Si tu cliente de webhook no admite encabezados personalizados, puedes especificar la clave de API y la clave secreta mediante parámetros de consulta con el siguiente formato:
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Haz los cambios siguientes:
- ENDPOINT_URL: URL del endpoint del feed.
- API_KEY: la clave de API para autenticarte en Google Security Operations.
- SECRET: la clave secreta que has generado para autenticar el feed.
En la sección Recoger registros, selecciona Telemetría.
Haz clic en Enviar.

Para obtener más información sobre los feeds de Google Security Operations, consulta la documentación de los feeds de Google Security Operations. Para obtener información sobre los requisitos de cada tipo de feed, consulta el artículo Configuración de feeds por tipo.

Si tienes problemas al crear feeds, ponte en contacto con el equipo de Asistencia de Google Security Operations.

Tipos de registros de telemetría de Jamf Protect admitidos

El analizador de telemetría de Jamf Protect admite los siguientes tipos de registros:

Event Type

AUE_add_to_group
AUE_AUDITCTL
AUE_AUDITON_SPOLICY
AUE_AUTH_USER
AUE_BIND
AUE_BIOS_FIRMWARE_VERSIONS
AUE_CHDIR
AUE_CHROOT
AUE_CONNECT
AUE_create_group
AUE_delete_group
AUE_create_user
AUE_delete_user
AUE_EXECVE
AUE_EXIT
AUE_FORK
AUE_GETAUID
AUE_KILL
AUE_LISTEN
AUE_LOGOUT
AUE_LW_LOGIN
AUE_MAC_SET_PROC
AUE_modify_group
AUE_modify_password
AUE_modify_user
AUE_MOUNT
AUE_openssh
AUE_PIDFORTASK
AUE_POSIX_SPAWN
AUE_REMOVE_FROM_GROUP
AUE_SESSION_CLOSE
AUE_SESSION_END
AUE_SESSION_START
AUE_SESSION_UPDATE
AUE_SETPRIORITY
AUE_SETSOCKOPT
AUE_SETTIMEOFDAY
AUE_SHUTDOWN
AUE_SOCKETPAIR
AUE_SSAUTHINT
AUE_SSAUTHMECH
AUE_SSAUTHORIZE
AUE_TASKFORPID
AUE_TASKNAMEFORPID
AUE_UNMOUNT
AUE_WAIT4
PLAINTEXT_LOG_COLLECTION_EVENT
SYSTEM_PERFORMANCE_METRICS

Formatos de registro de telemetría admitidos de Jamf Protect

El analizador de telemetría de Jamf Protect admite registros en formato JSON.

Registros de ejemplo de telemetría de Jamf Protect admitidos

JSON

{
  "exec_chain": {
    "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E"
  },
  "exec_chain_child": {
    "parent_path": "/sbin/launchd",
    "parent_pid": 1,
    "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02"
  },
  "header": {
    "time_seconds_epoch": 1657906179,
    "time_milliseconds_offset": 848,
    "version": 11,
    "event_modifier": 0,
    "event_id": 45018,
    "event_name": "AUE_add_to_group"
  },
  "host_info": {
    "serial_number": "C03WG0H4HDTS",
    "host_name": "Test_MacBook_Pro",
    "osversion": "Version 12.4 (Build 21F79)",
    "host_uuid": "8891C1E2-0AC0-4E4A-844B-EA491B14D115"
  },
  "identity": {
    "signer_id": "dummy.domain.opendirectoryd",
    "team_id_truncated": false,
    "signer_id_truncated": false,
    "cd_hash": "68d22bdec020f20010bfa9d27cd5f69d78427636",
    "team_id": "",
    "signer_type": 1
  },
  "key": "21E48D3B-4965-4072-81BF-83BE04A329C2",
  "return": {
    "error": 0,
    "description": "success",
    "return_value": 0
  },
  "subject": {
    "session_id": 100003,
    "group_id": 20,
    "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice",
    "parent_pid": 1,
    "effective_user_name": "jamf",
    "user_id": 501,
    "group_name": "staff",
    "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02",
    "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E",
    "effective_group_id": 20,
    "process_hash": "507494616e05a5eb909794354fe69f29e432f2a7",
    "audit_id": 501,
    "responsible_process_id": 1391,
    "parent_path": "/sbin/launchd",
    "process_id": 1701,
    "effective_group_name": "staff",
    "audit_user_name": "jamf",
    "effective_user_id": 501,
    "terminal_id": {
      "type": 4,
      "ip_address": "198.51.100.0",
      "port": 4278
    },
    "responsible_process_name": "/System/Applications/System Preferences.app/Contents/MacOS/System Preferences",
    "user_name": "jamf"
  },
  "texts": [
    "Added Groups membership username to '_lpadmin' node '/Local/Default', value = 'baddie'"
  ]
}

Referencia de asignación de campos

En esta sección se explica cómo asigna el analizador de Google Security Operations los campos de telemetría de Jamf Protect a los campos del modelo de datos unificado (UDM) de Google Security Operations.

Referencia de asignación de campos: identificador de evento a tipo de evento

En la siguiente tabla se enumeran los JAMF_TELEMETRY tipos de registros y sus tipos de eventos de UDM correspondientes.

Event Identifier	Event Type
`AUE_add_to_group`	`GROUP_MODIFICATION`
`AUE_AUDITCTL`	`RESOURCE_READ`
`AUE_AUDITON_SPOLICY`	`RESOURCE_READ`
`AUE_AUTH_USER`	`USER_LOGIN`
`AUE_BIND`	`NETWORK_CONNECTION`
`AUE_BIOS_FIRMWARE_VERSIONS`	`USER_RESOURCE_ACCESS`
`AUE_CHDIR`	`USER_RESOURCE_ACCESS`
`AUE_CHROOT`	`USER_RESOURCE_ACCESS`
`AUE_CONNECT`	`NETWORK_CONNECTION`
`AUE_create_group`	`GROUP_CREATION`
`AUE_delete_group`	`GROUP_DELETION`
`AUE_create_user`	`USER_CREATION`
`AUE_delete_user`	`USER_DELETION`
`AUE_EXECVE`	`PROCESS_LAUNCH`
`AUE_EXIT`	`PROCESS_TERMINATION`
`AUE_FORK`	`PROCESS_LAUNCH`
`AUE_GETAUID`	`SCHEDULED_TASK_CREATION`
`AUE_KILL`	`PROCESS_TERMINATION`
`AUE_LISTEN`	`NETWORK_CONNECTION`
`AUE_LOGOUT`	`USER_LOGOUT`
`AUE_LW_LOGIN`	`USER_LOGIN`
`AUE_MAC_SET_PROC`	`PROCESS_UNCATEGORIZED`
`AUE_modify_group`	`GROUP_MODIFICATION`
`AUE_modify_password`	`USER_CHANGE_PASSWORD`
`AUE_modify_user`	`USER_UNCATEGORIZED`
`AUE_MOUNT`	`RESOURCE_READ`
`AUE_openssh`	`USER_LOGIN`
`AUE_PIDFORTASK`	`PROCESS_LAUNCH`
`AUE_POSIX_SPAWN`	`PROCESS_LAUNCH`
`AUE_REMOVE_FROM_GROUP`	`GROUP_MODIFICATION`
`AUE_SESSION_CLOSE`	`USER_LOGOUT`
`AUE_SESSION_END`	`USER_LOGOUT`
`AUE_SESSION_START`	`USER_LOGIN`
`AUE_SESSION_UPDATE`	`USER_UNCATEGORIZED`
`AUE_SETPRIORITY`	`SETTING_MODIFICATION`
`AUE_SETSOCKOPT`	`NETWORK_CONNECTION`
`AUE_SETTIMEOFDAY`	`SETTING_MODIFICATION`
`AUE_SHUTDOWN`	`STATUS_SHUTDOWN`
`AUE_SOCKETPAIR`	`NETWORK_CONNECTION`
`AUE_SSAUTHINT`	`USER_LOGIN`
`AUE_SSAUTHMECH`	`USER_LOGIN`
`AUE_SSAUTHORIZE`	`USER_LOGIN`
`AUE_TASKFORPID`	`PROCESS_INJECTION`
`AUE_TASKNAMEFORPID`	`PROCESS_INJECTION`
`AUE_UNMOUNT`	`RESOURCE_READ`
`AUE_WAIT4`	`PROCESS_UNCATEGORIZED`
`PLAINTEXT_LOG_COLLECTION_EVENT`	`GENERIC_EVENT`

`SYSTEM_PERFORMANCE_METRICS`	`GENERIC_EVENT`

Referencia de asignación de campos: JAMF_TELEMETRY

En la siguiente tabla se enumeran los campos de registro del tipo de registro JAMF_TELEMETRY y sus campos de UDM correspondientes.

Log field	UDM mapping	Logic
	`metadata.event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `JAMF_TELEMETRY`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `JAMF`.
`header.time_seconds_epoch`	`metadata.event_timestamp`
`header.time_milliseconds_offset`	`about.labels[time_milliseconds_offset]` (deprecated)
`header.time_milliseconds_offset`	`additional.fields[time_milliseconds_offset]`
`header.version`	`about.labels[header_version]` (deprecated)
`header.version`	`additional.fields[header_version]`
`header.event_modifier`	`about.labels[event_modifier]` (deprecated)
`header.event_modifier`	`additional.fields[event_modifier]`
`header.event_uuid`	`metadata.product_log_id`
`header.event_name,header.event_id`	`metadata.product_event_type`	If the `header.event_name` and `header.event_id` log field values are not empty, then the `header.event_name-header.event_id` log fields are mapped to the `metadata.product_event_type` UDM field. Else, if the `header.event_name` log field value is not empty, then the `header.event_name` log field is mapped to the `metadata.product_event_type` UDM field. Else, if the `header.event_id` log field value is not empty, then the `header.event_id` log field is mapped to the `metadata.product_event_type` UDM field.
`exec_chain.thread_uuid`	`principal.labels[exec_chain_thread_uuid]` (deprecated)
`exec_chain.thread_uuid`	`additional.fields[exec_chain_thread_uuid]`
`exec_chain.uuid`	`principal.labels[exec_chain_uuid]` (deprecated)
`exec_chain.uuid`	`additional.fields[exec_chain_uuid]`
`exec_chain_child.parent_path`	`principal.process.parent_process.file.full_path`
`exec_chain_child.parent_pid`	`principal.process.parent_process.pid`
`exec_chain_child.parent_uuidsubject.parent` (deprecated)	`principal.labels[exec_chain_child_parent_uuid]`
`exec_chain_child.parent_uuid`	`additional.fields[exec_chain_child_parent_uuid]`
`host_info.serial_number`	`principal.asset.hardware.serial_number`
`host_info.host_name`	`principal.hostname`
`host_info.osversion`	`principal.asset.software.version`
`host_info.host_uuid`	`principal.asset.product_object_id`
`host_info.primary_mac_address`	`principal.asset.mac`
`identity.signer_id`	`principal.labels[identity_signer_id]` (deprecated)
`identity.signer_id`	`additional.fields[identity_signer_id]`
`identity.team_id_truncated`	`principal.labels[identity_team_id_truncated]` (deprecated)
`identity.team_id_truncated`	`additional.fields[identity_team_id_truncated]`
`identity.signer_id_truncated`	`principal.labels[identity_signer_id_truncated]` (deprecated)
`identity.signer_id_truncated`	`additional.fields[identity_signer_id_truncated]`
`identity.cd_hash`	`principal.labels[identity_cd_hash]` (deprecated)
`identity.cd_hash`	`additional.fields[identity_cd_hash]`
`identity.team_id`	`principal.labels[team_id]` (deprecated)
`identity.team_id`	`additional.fields[team_id]`
`identity.signer_type`	`principal.labels[signer_type]` (deprecated)
`identity.signer_type`	`additional.fields[signer_type]`
`key`	`about.labels[key]` (deprecated)
`key`	`additional.fields[key]`
`return.error,return.description`	`security_result.description`	If the `return.error` and `return.description` log field values are not empty, then the `return.error-return.description` log fields are mapped to the `security_result.description` UDM field. Else, if the `return.error` log field value is not empty, then the `return.error` log field is mapped to the `security_result.description` UDM field. Else, if the `return.description` log field value is not empty, then the `return.description` log field is mapped to the `security_result.description` UDM field.
`return.return_value`	`security_result.detection_fields`
`subject.session_id`	`network.session_id`
`subject.group_id`	`principal.user.group_identifiers`	If the `header.event_name` log field value contains one of the following values, then the `subject.group_id` log field is mapped to the `target.user.group_identifiers` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.group_id` log field is mapped to the `principal.user.group_identifiers` UDM field.
`subject.effective_group_id`	`target.user.group_identifiers`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_group_id` log field is mapped to the `target.user.group_identifiers` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.group_name`	`principal.group.group_display_name`	If the `header.event_name` log field value contains one of the following values, then the `subject.group_name` log field is mapped to the `target.group.group_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.group_name` log field is mapped to the `principal.group.group_display_name` UDM field.
`subject.effective_group_name`	`target.group.group_display_name`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_group_name` log field is mapped to the `target.group.group_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.user_name`	`principal.user.user_display_name`	If the `header.event_name` log field value contains one of the following values, then the `subject.user_name` log field is mapped to the `target.user.user_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.user_name` log field is mapped to the `principal.user.user_display_name` UDM field.
`subject.effective_user_name`	`target.user.user_display_name`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_user_name` log field is mapped to the `target.user.user_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.user_id`	`principal.user.userid`	If the `header.event_name` log field value contains one of the following values, then the `subject.user_id` log field is mapped to the `target.user.userid` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.user_id` log field is mapped to the `principal.user.userid` UDM field.
`subject.effective_user_id`	`target.user.userid`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_user_id` log field is mapped to the `target.user.userid` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.audit_id`	`principal.labels[audit_id]` (deprecated)
`subject.audit_id`	`additional.fields[audit_id]`
`subject.responsible_process_id,metrics.tasks.pid`	`principal.process.pid`	If the `header.event_name` log field value is equal to `SYSTEM_PERFORMANCE_METRICS`, then the `metrics.tasks.pid` log field is mapped to the `principal.process.pid` UDM field. Else, the `subject.responsible_process_id` log field is mapped to the `principal.process.pid` UDM field.
`subject.process_id`	`principal.process_ancestors.pid`	If the `subject.responsible_process_id` log field value is not empty, then the `subject.process_id` log field is mapped to the `principal.process_ancestors.pid` UDM field. Else, the `subject.process_id` log field is mapped to the `principal.process.pid` UDM field.
`subject.audit_user_name`	`principal.labels[audit_user_name]` (deprecated)
`subject.audit_user_name`	`additional.fields[audit_user_name]`
`subject.process_name`	`principal.process_ancestors.file.full_path`	If the `subject.responsible_process_name` log field value is not empty, then the `subject.process_name` log field is mapped to the `principal.process_ancestors.file.full_path` UDM field. Else, the `subject.process_name` log field is mapped to the `principal.process.file.full_path` UDM field.
`subject.responsible_process_name`	`principal.process.file.full_path`
`subject.process_hash`	`principal.process.file.sha1`
`subject.terminal_id.type`	`principal.labels[type]` (deprecated)	If the `subject.terminal_id.type` log field value is equal to `4`, then the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `principal.labels.value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `principal.labels.value` UDM field is set to `6-IPv6`. Else, the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `subject.terminal_id.type` log field is mapped to the `principal.labels.value` UDM field.
`subject.terminal_id.type`	`additional.fields[type]`	If the `subject.terminal_id.type` log field value is equal to `4`, then the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `6-IPv6`. Else, the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `subject.terminal_id.type` log field is mapped to the `additional.fields.value.string_value` UDM field.
`subject.terminal_id.ip_address`	`principal.ip`
`subject.terminal_id.port`	`principal.port`
`texts`	`metadata.description`	If the `index` value is equal to `0`, then the `texts` log field is mapped to the `metadata.description` UDM field. Else, the `texts` log field is mapped to the `about.labels.value` UDM field.
`attributes.device`	`principal.asset.attribute.labels[device]`
`attributes.owner_group_name`	`about.group.group_display_name`
`attributes.owner_group_id`	`about.user.group_identifiers`
`attributes.owner_user_id`	`about.user.userid`
`attributes.owner_user_name`	`about.user.user_display_name`
`attributes.file_system_id`	`principal.labels[attributes_file_system_id]` (deprecated)
`attributes.file_system_id`	`additional.fields[attributes_file_system_id]`
`attributes.file_access_mode`	`principal.labels[attributes_file_access_mode]` (deprecated)
`attributes.file_access_mode`	`additional.fields[attributes_file_access_mode]`
`attributes.node_id`	`principal.asset.asset_id`
`path`	`about.labels[path]`
`arguments.cmd`	`principal.labels[arguments_cmd]` (deprecated)
`arguments.cmd`	`additional.fields[arguments_cmd]`
`arguments.policy`	`principal.labels[arguments_policy]` (deprecated)
`arguments.policy`	`additional.fields[arguments_policy]`
`arguments.length`	`principal.labels[arguments_length]` (deprecated)
`arguments.length`	`additional.fields[arguments_length]`
`_event_score`	`security_result.severity_details`
`architecture`	`principal.asset.hardware.cpu_model`
`arguments.addr`	`principal.labels[arguments_addr]` (deprecated)
`arguments.addr`	`additional.fields[arguments_addr]`
`arguments.am_failure`	`principal.labels[arguments_am_failure]` (deprecated)
`arguments.am_failure`	`additional.fields[arguments_am_failure]`
`arguments.am_success`	`principal.labels[arguments_am_success]` (deprecated)
`arguments.am_success`	`additional.fields[arguments_am_success]`
`arguments.authenticated_as_test`	`principal.labels[arguments_authenticated_as_test]` (deprecated)
`arguments.authenticated_as_test`	`additional.fields[arguments_authenticated_as_test]`
`arguments.child_PID`	`principal.labels[arguments_child_PID]` (deprecated)
`arguments.child_PID`	`additional.fields[arguments_child_PID]`
`arguments.data`	`principal.labels[arguments_data]` (deprecated)
`arguments.data`	`additional.fields[arguments_data]`
`arguments.domain`	`principal.labels[arguments_domain]` (deprecated)
`arguments.domain`	`additional.fields[arguments_domain]`
`arguments.fd`	`principal.labels[arguments_fd]` (deprecated)
`arguments.fd`	`additional.fields[arguments_fd]`
`arguments.flags`	`principal.labels[arguments_flags]` (deprecated)
`arguments.flags`	`additional.fields[arguments_flags]`
`arguments.authenticated_as_allen.golbig`	`principal.labels[authenticated_as_allen_golbig]` (deprecated)
`arguments.authenticated_as_allen.golbig`	`additional.fields[authenticated_as_allen_golbig]`
`arguments.known_UID_`	`principal.labels[argument_known_uid]` (deprecated)
`arguments.known_UID_`	`additional.fields[argument_known_uid]`
`arguments.pid`	`principal.labels[arguments_pid]` (deprecated)
`arguments.pid`	`additional.fields[arguments_pid]`
`arguments.port`	`principal.labels[arguments_port]` (deprecated)
`arguments.port`	`additional.fields[arguments_port]`
`arguments.priority`	`security_result.priority_details`
`arguments.process`	`principal.labels[argument_process]` (deprecated)
`arguments.process`	`additional.fields[argument_process]`
`arguments.protocol`	`principal.labels[argument_protocol]` (deprecated)
`arguments.protocol`	`additional.fields[argument_protocol]`
`arguments.request`	`principal.labels[argument_request]` (deprecated)
`arguments.request`	`additional.fields[argument_request]`
`arguments.sflags`	`principal.labels[arguments_sflags]` (deprecated)
`arguments.sflags`	`additional.fields[arguments_sflags]`
`arguments.signal`	`principal.labels[argument_signal]` (deprecated)
`arguments.signal`	`additional.fields[argument_signal]`
`arguments.target_port,process.terminal_id.port,socket_inet.port`	`target.port`	If the `header.event_name` log field value is equal to `AUE_KILL` or `AUE_TASKFORPID`, then the `process.port` log field is mapped to the `target.port` UDM field. Else, if the `header.event_name` log field value is equal to `AUE_BIND` or `AUE_CONNECT`, then the `socket_inet.port` log field is mapped to the `target.port` UDM field. Else, the `agument.target_port` log field is mapped to the `target.port` UDM field.
`arguments.task_port`	`principal.labels[task_port]` (deprecated)
`arguments.task_port`	`additional.fields[task_port]`
`arguments.type`	`principal.labels[argument_type]` (deprecated)
`arguments.type`	`additional.fields[argument_type]`
`arguments.which`	`principal.labels[which]` (deprecated)
`arguments.which`	`additional.fields[which]`
`arguments.who`	`principal.labels[who]` (deprecated)
`arguments.who`	`additional.fields[who]`
`bios_firmware_versions.booter-version`	`principal.asset.attribute.labels[booter_version]`
`bios_firmware_versions.firmware-features`	`principal.asset.attribute.labels[firmware_features]`
`bios_firmware_versions.firmware-version`	`principal.asset.attribute.labels[firmware_version]`
`bios_firmware_versions.release-date`	`principal.asset.attribute.labels[release_date]`
`bios_firmware_versions.rom-size`	`principal.asset.attribute.labels[rom_size]`
`bios_firmware_versions.system-firmware-version`	`principal.asset.attribute.labels[system_firmware_version]`
`bios_firmware_versions.vendor`	`principal.asset.attribute.labels[vendor]`
`bios_firmware_versions.version`	`principal.asset.attribute.labels[version]`
`exec_args.args_compiled`	`principal.process.command_line`
`exec_chain_parent.uuid`	`principal.labels[parent_uuid]` (deprecated)
`exec_chain_parent.uuid`	`additional.fields[parent_uuid]`
`exec_env.env_compiled`	`about.labels[env_compiled]` (deprecated)
`exec_env.env_compiled`	`additional.fields[env_compiled]`
`exec_env.env.PATH`	`about.labels[env_path]` (deprecated)
`exec_env.env.PATH`	`additional.fields[env_path]`
`exit.return_value`	`principal.labels[return_value]` (deprecated)
`exit.return_value`	`additional.fields[return_value]`
`exit.status`	`principal.labels[exit_status]` (deprecated)
`exit.status`	`additional.fields[exit_status]`
`process.audit_id`	`about.labels[process_audit_id]` (deprecated)
`process.audit_id`	`additional.fields[process_audit_id]`
`process.audit_user_name`	`about.labels[audit_user_name]` (deprecated)
`process.audit_user_name`	`additional.fields[audit_user_name]`
`process.group_idprocess.effective_group_id`	`about.user.group_identifiers`
`process.group_name`	`about.group.group_display_name`
`process.process_hash`	`target.process.file.sha1`
`process.process_id`	`target.process.pid`
`process.process_name`	`target.process.file.full_path`
`process.session_id`	`target.labels[process_session_id]` (deprecated)
`process.session_id`	`additional.fields[process_session_id]`
`process.terminal_id.addr`	`target.labels[addr]`
`process.terminal_id.ip_address`	`target.ip`
`process.terminal_id.type`	`target.labels[process_terminal_id_type]` (deprecated)	If the `process.terminal_id.type` log field value is equal to `4`, then the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `target.labels.value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `target.labels.value` UDM field is set to `6-IPv6`. Else, the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `process.terminal_id.type` log field is mapped to the `target.labels.value` UDM field.
`process.terminal_id.type`	`additional.fields[process_terminal_id_type]`	If the `process.terminal_id.type` log field value is equal to `4`, then the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `6-IPv6`. Else, the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `process.terminal_id.type` log field is mapped to the `additional.fields.value.string_value` UDM field.
`process.user_id`	`about.user.userid`
`process.user_name`	`about.user.user_display_name`
`rateLimitingSeconds`	`about.labels[rate_limiting_seconds]` (deprecated)
`rateLimitingSeconds`	`additional.fields[rate_limiting_seconds]`
`socket_inet.family`	`target.labels[socket_inet_family]` (deprecated)
`socket_inet.family`	`additional.fields[socket_inet_family]`
`socket_inet.id`	`target.labels[socket_inet_id]` (deprecated)	If the `socket_inet.id` log field value is equal to `128`, then the `target.labels.key` UDM field is set to `socket_inet_id` and the `target.labels.value` UDM field is set to `128-IPv4`. Else, if the `socket_inet.id` log field value is equal to `129`, then the `target.labels.key` UDM field is set to `socket_inet_id` and the `target.labels.value` UDM field is set to `129-IPv6`. Else, the `target.labels.key` UDM field is set to `socket_inet_id` and the `socket_inet.ip` log field is mapped to the `target.labels.value` UDM field.
`socket_inet.id`	`additional.fields[socket_inet_id]`	If the `socket_inet.id` log field value is equal to `128`, then the `additional.fields.key` UDM field is set to `socket_inet_id` and the `additional.fields.value.string_value` UDM field is set to `128-IPv4`. Else, if the `socket_inet.id` log field value is equal to `129`, then the `additional.fields.key` UDM field is set to `socket_inet_id` and the `additional.fields.value.string_value` UDM field is set to `129-IPv6`. Else, the `additional.fields.key` UDM field is set to `socket_inet_id` and the `socket_inet.ip` log field is mapped to the `additional.fields.value.string_value` UDM field.
`socket_inet.ip_address`	`target.ip`
`socket_unix.family`	`target.labels[socket_unix_family]` (deprecated)
`socket_unix.family`	`additional.fields[socket_unix_family]`
`socket_unix.path`	`target.file.full_path`
`subject.terminal_id.addr`	`target.labels[addr]`
`metrics.hw_model`	`principal.asset.hardware.model`
`metrics.tasks.bytes_received`	`network.received_bytes`	If the `index` value is equal to `0`, then the `metrics.tasks.bytes_received` log field is mapped to the `network.received_bytes` UDM field. Else, the `metrics.tasks.bytes_received` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.bytes_received_per_s`	`principal.asset.attribute.labels[bytes_received_per_s]`
`metrics.tasks.bytes_sent`	`network.sent_bytes`	If the `index` value is equal to `0`, then the `metrics.tasks.bytes_sent` log field is mapped to the `network.sent_bytes` UDM field. Else, the `metrics.tasks.bytes_sent` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.bytes_sent_per_s`	`principal.asset.attribute.labels[bytes_sent_per_s]`
`metrics.tasks.cputime_ms_per_s`	`principal.asset.attribute.labels[cputime_ms_per_s]`
`metrics.tasks.cputime_ns`	`principal.asset.attribute.labels[cputime_ns]`
`metrics.tasks.cputime_sample_ms_per_s`	`principal.asset.attribute.labels[cputime_sample_ms_per_s]`
`metrics.tasks.cputime_userland_ratio`	`principal.asset.attribute.labels[cputime_userland_ratio]`
`metrics.tasks.diskio_bytesread`	`principal.asset.attribute.labels[diskio_bytesread]`
`metrics.tasks.diskio_bytesread_per_s`	`principal.asset.attribute.labels[diskio_bytesread_per_s]`
`metrics.tasks.diskio_byteswritten`	`principal.asset.attribute.labels[diskio_byteswritten]`
`metrics.tasks.diskio_byteswritten_per_s`	`principal.asset.attribute.labels[diskio_byteswritten_per_s]`
`metrics.tasks.energy_impact`	`principal.asset.attribute.labels[energy_impact]`
`metrics.tasks.energy_impact_per_s`	`principal.asset.attribute.labels[energy_impact_per_s]`
`metrics.tasks.idle_wakeups`	`principal.asset.attribute.labels[idle_wakeups]`
`metrics.tasks.interval_ns`	`principal.asset.attribute.labels[interval_ns]`
`metrics.tasks.intr_wakeups_per_s`	`principal.asset.attribute.labels[intr_wakeups_per_s]`
`metrics.tasks.name`	`principal.asset.attribute.labels[name]`
`metrics.tasks.packets_received`	`network.received_packets`	If the `index` value is equal to `0`, then the `metrics.tasks.packets_received` log field is mapped to the `network.received_packets` UDM field. Else, the `metrics.tasks.packets_received` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.packets_received_per_s`	`principal.asset.attribute.labels[packets_received_per_s]`
`metrics.tasks.packets_sent`	`network.sent_packets`	If the `index` value is equal to `0`, then the `metrics.tasks.packets_sent` log field is mapped to the `network.sent_packets` UDM field. Else, the `metrics.tasks.packets_sent` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.packets_sent_per_s`	`principal.asset.attribute.labels[packets_sent_per_s]`
`metrics.tasks.pageins`	`principal.asset.attribute.labels[pageins]`
`metrics.tasks.pageins_per_s`	`principal.asset.attribute.labels[pageins_per_s]`
`metrics.tasks.qos_background_ms_per_s`	`principal.asset.attribute.labels[qos_background_ms_per_s]`
`metrics.tasks.qos_background_ns`	`principal.asset.attribute.labels[qos_background_ns]`
`metrics.tasks.qos_default_ms_per_s`	`principal.asset.attribute.labels[qos_default_ms_per_s]`
`metrics.tasks.qos_default_ns`	`principal.asset.attribute.labels[qos_default_ns]`
`metrics.tasks.qos_disabled_ms_per_s`	`principal.asset.attribute.labels[qos_disabled_ms_per_s]`
`metrics.tasks.qos_disabled_ns`	`principal.asset.attribute.labels[qos_disabled_ns]`
`metrics.tasks.qos_maintenance_ms_per_s`	`principal.asset.attribute.labels[qos_maintenance_ms_per_s]`
`metrics.tasks.qos_maintenance_ns`	`principal.asset.attribute.labels[qos_maintenance_ns]`
`metrics.tasks.qos_user_initiated_ms_per_s`	`principal.asset.attribute.labels[qos_user_initiated_ms_per_s]`
`metrics.tasks.qos_user_initiated_ns`	`principal.asset.attribute.labels[qos_user_initiated_ns]`
`metrics.tasks.qos_user_interactive_ms_per_s`	`principal.asset.attribute.labels[qos_user_interactive_ms_per_s]`
`metrics.tasks.qos_user_interactive_ns`	`principal.asset.attribute.labels[qos_user_interactive_ns]`
`metrics.tasks.qos_utility_ms_per_s`	`principal.asset.attribute.labels[qos_utility_ms_per_s]`
`metrics.tasks.qos_utility_ns`	`principal.asset.attribute.labels[qos_utility_ns]`
`metrics.tasks.started_abstime_ns`	`principal.asset.attribute.labels[started_abstime_ns]`
`metrics.tasks.timer_wakeups.wakeups`	`principal.asset.attribute.labels[timer_wakeups]`
`page_info.page`	`about.labels[page_info_page]` (deprecated)
`page_info.page`	`additional.fields[page_info_page]`
`page_info.total`	`about.labels[page_info_total]` (deprecated)
`page_info.total`	`additional.fields[page_info_total]`
`exec_env.env._`	`about.labels[env]` (deprecated)
`exec_env.env._`	`additional.fields[env]`
`exec_env.env.__CF_USER_TEXT_ENCODING`	`about.labels[env__CF_USER_TEXT_ENCODING]` (deprecated)
`exec_env.env.__CF_USER_TEXT_ENCODING`	`additional.fields[env__CF_USER_TEXT_ENCODING]`
`exec_env.env.__CFBundleIdentifier`	`about.labels[env__CFBundleIdentifier]` (deprecated)
`exec_env.env.__CFBundleIdentifier`	`additional.fields[env__CFBundleIdentifier]`
`exec_env.env.ASDF_DIR`	`about.labels[env_ASDF_DIR]` (deprecated)
`exec_env.env.ASDF_DIR`	`additional.fields[env_ASDF_DIR]`
`exec_env.env.HOME`	`about.labels[env_HOME]` (deprecated)
`exec_env.env.HOME`	`additional.fields[env_HOME]`
`exec_env.env.LANG`	`about.labels[env_LANG]` (deprecated)
`exec_env.env.LANG`	`additional.fields[env_LANG]`
`exec_env.env.LC_TERMINAL`	`about.labels[env_LC_TERMINAL]` (deprecated)
`exec_env.env.LC_TERMINAL`	`additional.fields[env_LC_TERMINAL]`
`exec_env.env.LC_TERMINAL_VERSION`	`about.labels[env_LC_TERMINAL_VERSION]` (deprecated)
`exec_env.env.LC_TERMINAL_VERSION`	`additional.fields[env_LC_TERMINAL_VERSION]`
`exec_env.env.MAIL`	`about.labels[env_MAIL]` (deprecated)
`exec_env.env.MAIL`	`additional.fields[env_MAIL]`
`exec_env.env.MallocSpaceEfficient`	`about.labels[env_MallocSpaceEfficient]` (deprecated)
`exec_env.env.MallocSpaceEfficient`	`additional.fields[env_MallocSpaceEfficient]`
`exec_env.env.OLDPWD`	`about.labels[env_OLDPWD]` (deprecated)
`exec_env.env.OLDPWD`	`additional.fields[env_OLDPWD]`
`exec_env.env.PWD`	`about.file.full_path`
`exec_env.env.SHELL`	`about.labels[env_SHELL]` (deprecated)
`exec_env.env.SHELL`	`additional.fields[env_SHELL]`
`exec_env.env.SHLVL`	`about.labels[env_SHLVL]` (deprecated)
`exec_env.env.SHLVL`	`additional.fields[env_SHLVL]`
`exec_env.env.SSH_AUTH_SOCK`	`about.labels[env_SSH_AUTH_SOCK]` (deprecated)
`exec_env.env.SSH_AUTH_SOCK`	`additional.fields[env_SSH_AUTH_SOCK]`
`exec_env.env.SSH_CLIENT`	`about.labels[env_SSH_CLIENT]` (deprecated)
`exec_env.env.SSH_CLIENT`	`additional.fields[env_SSH_CLIENT]`
`exec_env.env.SSH_CONNECTION`	`about.labels[env_SSH_CONNECTION]` (deprecated)
`exec_env.env.SSH_CONNECTION`	`additional.fields[env_SSH_CONNECTION]`
`exec_env.env.SSH_TTY`	`about.labels[env_SSH_TTY]` (deprecated)
`exec_env.env.SSH_TTY`	`additional.fields[env_SSH_TTY]`
`exec_env.env.SUDO_COMMAND`	`about.labels[env_SUDO_COMMAND]` (deprecated)
`exec_env.env.SUDO_COMMAND`	`additional.fields[env_SUDO_COMMAND]`
`exec_env.env.SUDO_GID`	`about.user.group_identifiers`
`exec_env.env.SUDO_UID`	`about.user.userid`
`exec_env.env.SUDO_USER`	`about.user.user_display_name`
`exec_env.env.TERM`	`about.labels[env_TERM]` (deprecated)
`exec_env.env.TERM`	`additional.fields[env_TERM]`
`exec_env.env.LOGNAME`	`about.labels[env_LOGNAME]` (deprecated)
`exec_env.env.LOGNAME`	`additional.fields[env_LOGNAME]`
`exec_env.env.USER`	`about.labels[env_USER]` (deprecated)
`exec_env.env.USER`	`additional.fields[env_USER]`
`exec_env.env.TERM_PROGRAM`	`about.labels[env_TERM_PROGRAM]` (deprecated)
`exec_env.env.TERM_PROGRAM`	`additional.fields[env_TERM_PROGRAM]`
`exec_env.env.TERM_PROGRAM_VERSION`	`about.labels[env_TERM_PROGRAM_VERSION]` (deprecated)
`exec_env.env.TERM_PROGRAM_VERSION`	`additional.fields[env_TERM_PROGRAM_VERSION]`
`exec_env.env.TERM_SESSION_ID`	`about.labels[env_TERM_SESSION_ID]` (deprecated)
`exec_env.env.TERM_SESSION_ID`	`additional.fields[env_TERM_SESSION_ID]`
`exec_env.env.TMPDIR`	`about.labels[env_TMPDIR]` (deprecated)
`exec_env.env.TMPDIR`	`additional.fields[env_TMPDIR]`
`exec_env.env.XPC_FLAGS`	`about.labels[env_XPC_FLAGS]` (deprecated)
`exec_env.env.XPC_FLAGS`	`additional.fields[env_XPC_FLAGS]`
`exec_env.env.XPC_SERVICE_NAME`	`about.labels[env_XPC_SERVICE_NAME]` (deprecated)
`exec_env.env.XPC_SERVICE_NAME`	`additional.fields[env_XPC_SERVICE_NAME]`
	`target.resource.resource_type`	If the `header.event_name` log field value is equal to `AUE_GETAUID`, then the `target.resource.resource_type` UDM field is set to `TASK`. Else, if the `header.event_name` log field value is equal to `AUE_SETPRIORITY or AUE_SETTIMEOFDAY`, then the `target.resource.resource_type` UDM field is set to `SETTING`.
	`extensions.auth.mechanism`	If the `header.event_name` log field value contains one of the following values, then the `mechanism` UDM field is set to `USERNAME_PASSWORD`: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`

Siguientes pasos

Ingestión de datos en Google Security Operations

¿Necesitas más ayuda? Recibe respuestas de los miembros de la comunidad y de los profesionales de Google SecOps.