Questa pagina è stata tradotta dall'API Cloud Translation.

Raccogliere i log di telemetria di Jamf Protect

Supportato in:

Google secops SIEM

Questo documento descrive come raccogliere i log di telemetria di Jamf Protect configurando un feed di Google Security Operations e come i campi dei log vengono mappati ai campi del modello unificato dei dati (UDM) di Google Security Operations. Questo documento elenca anche la versione di Jamf Protect Telemetry supportata.

Per ulteriori informazioni, consulta Importazione dei dati in Google Security Operations.

Un deployment tipico è costituito dalla telemetria di Jamf Protect e dal feed di Google Security Operations configurato per inviare i log a Google Security Operations. Ogni implementazione del cliente può variare ed essere più complessa.

Il deployment contiene i seguenti componenti:

Jamf Protect Telemetry. La piattaforma di telemetria Jamf Protect da cui raccogli i log.
Feed Google Security Operations. Il feed Google Security Operations che recupera i log dalla telemetria di Jamf Protect e li scrive in Google Security Operations.
Google Security Operations. Google Security Operations conserva e analizza i log della telemetria di Jamf Protect.

Un'etichetta di importazione identifica il parser che normalizza i dati dei log non elaborati in formato UDM strutturato. Le informazioni contenute in questo documento si applicano al parser con l'etichetta di importazione JAMF_TELEMETRY.

Prima di iniziare

Assicurati di soddisfare i seguenti prerequisiti:

Una configurazione di Jamf Protect Telemetry
Jamf Protect versione 4.0.0 o successive
Tutti i sistemi nell'architettura di deployment sono configurati con il fuso orario UTC.

Configurare i feed

Esistono due diversi punti di accesso per configurare i feed nella piattaforma Google SecOps:

Impostazioni SIEM > Feed
Hub dei contenuti > Pacchetti di contenuti

Configurare i feed da Impostazioni SIEM > Feed

Puoi utilizzare Amazon S3 o un webhook per configurare un feed di importazione in Google Security Operations, ma ti consigliamo di utilizzare Amazon S3.

Configurare un feed di importazione in Google SecOps utilizzando Amazon S3

Per configurare più feed per diversi tipi di log all'interno di questa famiglia di prodotti, consulta Configurare i feed per prodotto.

Per configurare un singolo feed:

Vai a Impostazioni SIEM > Feed.
Fai clic su Aggiungi nuovo feed.
Nella pagina successiva, fai clic su Configura un singolo feed.
Nel campo Nome feed, inserisci un nome per il feed, ad esempio Log di telemetria Jamf.
Seleziona Amazon S3 come Tipo di origine.
Per creare un feed per Jamf Protect Telemetry, seleziona Jamf Protect Telemetry come Tipo di log.
Fai clic su Avanti.
Salva il feed, quindi fai clic su Invia.
Copia l'ID feed dal nome del feed da utilizzare in Jamf Protect Telemetry.

Configura un feed di importazione in Google SecOps utilizzando un webhook

Solo per i clienti unificati di Google Security Operations:
Per configurare più feed per diversi tipi di log all'interno di questa famiglia di prodotti, consulta Configurare più feed.

Per tutti i clienti:
Per configurare un singolo feed:

Vai a Impostazioni SIEM > Feed.
Fai clic su Aggiungi nuovo feed.
Nella pagina successiva, fai clic su Configura un singolo feed. Ignora questo passaggio se utilizzi la piattaforma autonoma Google SecOps SIEM.
Nel campo Nome feed, inserisci un nome per il feed, ad esempio Log di telemetria Jamf.
Nell'elenco Tipo di origine, seleziona Webhook.
Per creare un feed per Jamf Protect Telemetry, seleziona Jamf Protect Telemetry come Tipo di log.
Fai clic su Avanti.
(Facoltativo) Specifica i valori per i seguenti parametri di input:
- Delimitatore di suddivisione: il delimitatore utilizzato per separare le righe di log, ad esempio \n.
- Spazio dei nomi dell'asset: lo spazio dei nomi dell'asset.
- Etichette di importazione: l'etichetta da applicare agli eventi di questo feed.
Fai clic su Avanti.
Controlla la nuova configurazione del feed nella schermata Finalizza e poi fai clic su Invia.
Fai clic su Genera chiave segreta per generare una chiave segreta per autenticare questo feed.
Copia e memorizza la chiave segreta. Non puoi visualizzare di nuovo questa chiave segreta. Se necessario, puoi rigenerare una nuova chiave segreta, ma questa azione rende obsoleta la chiave segreta precedente.
Nella scheda Dettagli, copia l'URL dell'endpoint del feed dal campo Informazioni sull'endpoint. Avrai bisogno di questo URL HTTPS per configurare l'applicazione client Jamf Protect Telemetry.
Fai clic su Fine.

Configurare i feed dall'hub dei contenuti

Specifica i valori per i seguenti campi:

Region (Regione): la regione in cui si trova il bucket Amazon S3.
URI S3: l'URI del bucket.
- s3://your-log-bucket-name/
  - Sostituisci your-log-bucket-name con il nome effettivo del tuo bucket S3.
L'URI è un: seleziona Directory o Directory che include sottodirectory, a seconda della struttura del bucket.
Opzioni di eliminazione dell'origine: seleziona l'opzione di eliminazione in base alle tue preferenze di importazione.
ID chiave di accesso: la chiave di accesso dell'utente con autorizzazioni di lettura dal bucket S3.
Chiave di accesso segreta: la chiave segreta dell'utente con le autorizzazioni per leggere dal bucket S3.

Opzioni avanzate

Nome feed: un valore precompilato che identifica il feed.
Tipo di origine: metodo utilizzato per raccogliere i log in Google SecOps.
Spazio dei nomi dell'asset: spazio dei nomi associato al feed.
Etichette di importazione: etichette applicate a tutti gli eventi di questo feed.

Crea una chiave API per un feed webhook

Vai alla consoleGoogle Cloud > Credenziali.

Vai a credenziali
Fai clic su Crea credenziali e poi seleziona Chiave API.
Limita l'accesso della chiave API all'API Google Security Operations.

Configurare la telemetria di Jamf Protect per un feed webhook

Nell'applicazione Jamf Protect Telemetry, vai alla configurazione dell'azione correlata.
Per aggiungere un nuovo endpoint dati, fai clic su Crea azioni.
Seleziona HTTP come protocollo.
Inserisci l'URL HTTPS dell'endpoint API Google Security Operations nel campo URL. Si tratta del campo Endpoint Information (Informazioni sull'endpoint) che hai copiato dalla configurazione del feed webhook. È già nel formato richiesto.)
Attiva l'autenticazione specificando la chiave API e la chiave segreta come parte dell'intestazione personalizzata nel seguente formato:
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
Consiglio: specifica la chiave API come intestazione anziché nell'URL. Se il client webhook non supporta le intestazioni personalizzate, puoi specificare la chiave API e la chiave segreta utilizzando parametri di ricerca nel seguente formato:
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Sostituisci quanto segue:
- ENDPOINT_URL: l'URL dell'endpoint del feed.
- API_KEY: la chiave API per l'autenticazione a Google Security Operations.
- SECRET: la chiave segreta che hai generato per autenticare il feed.
Nella sezione Raccogli log, seleziona Telemetria.
Fai clic su Invia.

Per saperne di più sui feed di Google Security Operations, consulta la documentazione sui feed di Google Security Operations. Per informazioni sui requisiti per ciascun tipo di feed, consulta Configurazione dei feed per tipo.

Se riscontri problemi durante la creazione dei feed, contatta l'assistenza Google Security Operations.

Tipi di log di telemetria di Jamf Protect supportati

Il parser di telemetria di Jamf Protect supporta i seguenti tipi di log:

Event Type

AUE_add_to_group
AUE_AUDITCTL
AUE_AUDITON_SPOLICY
AUE_AUTH_USER
AUE_BIND
AUE_BIOS_FIRMWARE_VERSIONS
AUE_CHDIR
AUE_CHROOT
AUE_CONNECT
AUE_create_group
AUE_delete_group
AUE_create_user
AUE_delete_user
AUE_EXECVE
AUE_EXIT
AUE_FORK
AUE_GETAUID
AUE_KILL
AUE_LISTEN
AUE_LOGOUT
AUE_LW_LOGIN
AUE_MAC_SET_PROC
AUE_modify_group
AUE_modify_password
AUE_modify_user
AUE_MOUNT
AUE_openssh
AUE_PIDFORTASK
AUE_POSIX_SPAWN
AUE_REMOVE_FROM_GROUP
AUE_SESSION_CLOSE
AUE_SESSION_END
AUE_SESSION_START
AUE_SESSION_UPDATE
AUE_SETPRIORITY
AUE_SETSOCKOPT
AUE_SETTIMEOFDAY
AUE_SHUTDOWN
AUE_SOCKETPAIR
AUE_SSAUTHINT
AUE_SSAUTHMECH
AUE_SSAUTHORIZE
AUE_TASKFORPID
AUE_TASKNAMEFORPID
AUE_UNMOUNT
AUE_WAIT4
PLAINTEXT_LOG_COLLECTION_EVENT
SYSTEM_PERFORMANCE_METRICS

Formati dei log di telemetria Jamf Protect supportati

Il parser di Jamf Protect Telemetry supporta i log in formato JSON.

Log di esempio di telemetria Jamf Protect supportati

JSON

{
  "exec_chain": {
    "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E"
  },
  "exec_chain_child": {
    "parent_path": "/sbin/launchd",
    "parent_pid": 1,
    "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02"
  },
  "header": {
    "time_seconds_epoch": 1657906179,
    "time_milliseconds_offset": 848,
    "version": 11,
    "event_modifier": 0,
    "event_id": 45018,
    "event_name": "AUE_add_to_group"
  },
  "host_info": {
    "serial_number": "C03WG0H4HDTS",
    "host_name": "Test_MacBook_Pro",
    "osversion": "Version 12.4 (Build 21F79)",
    "host_uuid": "8891C1E2-0AC0-4E4A-844B-EA491B14D115"
  },
  "identity": {
    "signer_id": "dummy.domain.opendirectoryd",
    "team_id_truncated": false,
    "signer_id_truncated": false,
    "cd_hash": "68d22bdec020f20010bfa9d27cd5f69d78427636",
    "team_id": "",
    "signer_type": 1
  },
  "key": "21E48D3B-4965-4072-81BF-83BE04A329C2",
  "return": {
    "error": 0,
    "description": "success",
    "return_value": 0
  },
  "subject": {
    "session_id": 100003,
    "group_id": 20,
    "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice",
    "parent_pid": 1,
    "effective_user_name": "jamf",
    "user_id": 501,
    "group_name": "staff",
    "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02",
    "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E",
    "effective_group_id": 20,
    "process_hash": "507494616e05a5eb909794354fe69f29e432f2a7",
    "audit_id": 501,
    "responsible_process_id": 1391,
    "parent_path": "/sbin/launchd",
    "process_id": 1701,
    "effective_group_name": "staff",
    "audit_user_name": "jamf",
    "effective_user_id": 501,
    "terminal_id": {
      "type": 4,
      "ip_address": "198.51.100.0",
      "port": 4278
    },
    "responsible_process_name": "/System/Applications/System Preferences.app/Contents/MacOS/System Preferences",
    "user_name": "jamf"
  },
  "texts": [
    "Added Groups membership username to '_lpadmin' node '/Local/Default', value = 'baddie'"
  ]
}

Riferimento alla mappatura dei campi

Questa sezione spiega come il parser di Google Security Operations mappa i campi di telemetria di Jamf Protect ai campi del modello unificato dei dati (UDM) di Google Security Operations.

Riferimento alla mappatura dei campi: identificatore evento e tipo di evento

La tabella seguente elenca i tipi di log JAMF_TELEMETRY e i relativi tipi di eventi UDM.

Event Identifier	Event Type
`AUE_add_to_group`	`GROUP_MODIFICATION`
`AUE_AUDITCTL`	`RESOURCE_READ`
`AUE_AUDITON_SPOLICY`	`RESOURCE_READ`
`AUE_AUTH_USER`	`USER_LOGIN`
`AUE_BIND`	`NETWORK_CONNECTION`
`AUE_BIOS_FIRMWARE_VERSIONS`	`USER_RESOURCE_ACCESS`
`AUE_CHDIR`	`USER_RESOURCE_ACCESS`
`AUE_CHROOT`	`USER_RESOURCE_ACCESS`
`AUE_CONNECT`	`NETWORK_CONNECTION`
`AUE_create_group`	`GROUP_CREATION`
`AUE_delete_group`	`GROUP_DELETION`
`AUE_create_user`	`USER_CREATION`
`AUE_delete_user`	`USER_DELETION`
`AUE_EXECVE`	`PROCESS_LAUNCH`
`AUE_EXIT`	`PROCESS_TERMINATION`
`AUE_FORK`	`PROCESS_LAUNCH`
`AUE_GETAUID`	`SCHEDULED_TASK_CREATION`
`AUE_KILL`	`PROCESS_TERMINATION`
`AUE_LISTEN`	`NETWORK_CONNECTION`
`AUE_LOGOUT`	`USER_LOGOUT`
`AUE_LW_LOGIN`	`USER_LOGIN`
`AUE_MAC_SET_PROC`	`PROCESS_UNCATEGORIZED`
`AUE_modify_group`	`GROUP_MODIFICATION`
`AUE_modify_password`	`USER_CHANGE_PASSWORD`
`AUE_modify_user`	`USER_UNCATEGORIZED`
`AUE_MOUNT`	`RESOURCE_READ`
`AUE_openssh`	`USER_LOGIN`
`AUE_PIDFORTASK`	`PROCESS_LAUNCH`
`AUE_POSIX_SPAWN`	`PROCESS_LAUNCH`
`AUE_REMOVE_FROM_GROUP`	`GROUP_MODIFICATION`
`AUE_SESSION_CLOSE`	`USER_LOGOUT`
`AUE_SESSION_END`	`USER_LOGOUT`
`AUE_SESSION_START`	`USER_LOGIN`
`AUE_SESSION_UPDATE`	`USER_UNCATEGORIZED`
`AUE_SETPRIORITY`	`SETTING_MODIFICATION`
`AUE_SETSOCKOPT`	`NETWORK_CONNECTION`
`AUE_SETTIMEOFDAY`	`SETTING_MODIFICATION`
`AUE_SHUTDOWN`	`STATUS_SHUTDOWN`
`AUE_SOCKETPAIR`	`NETWORK_CONNECTION`
`AUE_SSAUTHINT`	`USER_LOGIN`
`AUE_SSAUTHMECH`	`USER_LOGIN`
`AUE_SSAUTHORIZE`	`USER_LOGIN`
`AUE_TASKFORPID`	`PROCESS_INJECTION`
`AUE_TASKNAMEFORPID`	`PROCESS_INJECTION`
`AUE_UNMOUNT`	`RESOURCE_READ`
`AUE_WAIT4`	`PROCESS_UNCATEGORIZED`
`PLAINTEXT_LOG_COLLECTION_EVENT`	`GENERIC_EVENT`

`SYSTEM_PERFORMANCE_METRICS`	`GENERIC_EVENT`

Riferimento per la mappatura dei campi: JAMF_TELEMETRY

La tabella seguente elenca i campi di log del tipo di log JAMF_TELEMETRY e i relativi campi UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `JAMF_TELEMETRY`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `JAMF`.
`header.time_seconds_epoch`	`metadata.event_timestamp`
`header.time_milliseconds_offset`	`about.labels[time_milliseconds_offset]` (deprecated)
`header.time_milliseconds_offset`	`additional.fields[time_milliseconds_offset]`
`header.version`	`about.labels[header_version]` (deprecated)
`header.version`	`additional.fields[header_version]`
`header.event_modifier`	`about.labels[event_modifier]` (deprecated)
`header.event_modifier`	`additional.fields[event_modifier]`
`header.event_uuid`	`metadata.product_log_id`
`header.event_name,header.event_id`	`metadata.product_event_type`	If the `header.event_name` and `header.event_id` log field values are not empty, then the `header.event_name-header.event_id` log fields are mapped to the `metadata.product_event_type` UDM field. Else, if the `header.event_name` log field value is not empty, then the `header.event_name` log field is mapped to the `metadata.product_event_type` UDM field. Else, if the `header.event_id` log field value is not empty, then the `header.event_id` log field is mapped to the `metadata.product_event_type` UDM field.
`exec_chain.thread_uuid`	`principal.labels[exec_chain_thread_uuid]` (deprecated)
`exec_chain.thread_uuid`	`additional.fields[exec_chain_thread_uuid]`
`exec_chain.uuid`	`principal.labels[exec_chain_uuid]` (deprecated)
`exec_chain.uuid`	`additional.fields[exec_chain_uuid]`
`exec_chain_child.parent_path`	`principal.process.parent_process.file.full_path`
`exec_chain_child.parent_pid`	`principal.process.parent_process.pid`
`exec_chain_child.parent_uuidsubject.parent` (deprecated)	`principal.labels[exec_chain_child_parent_uuid]`
`exec_chain_child.parent_uuid`	`additional.fields[exec_chain_child_parent_uuid]`
`host_info.serial_number`	`principal.asset.hardware.serial_number`
`host_info.host_name`	`principal.hostname`
`host_info.osversion`	`principal.asset.software.version`
`host_info.host_uuid`	`principal.asset.product_object_id`
`host_info.primary_mac_address`	`principal.asset.mac`
`identity.signer_id`	`principal.labels[identity_signer_id]` (deprecated)
`identity.signer_id`	`additional.fields[identity_signer_id]`
`identity.team_id_truncated`	`principal.labels[identity_team_id_truncated]` (deprecated)
`identity.team_id_truncated`	`additional.fields[identity_team_id_truncated]`
`identity.signer_id_truncated`	`principal.labels[identity_signer_id_truncated]` (deprecated)
`identity.signer_id_truncated`	`additional.fields[identity_signer_id_truncated]`
`identity.cd_hash`	`principal.labels[identity_cd_hash]` (deprecated)
`identity.cd_hash`	`additional.fields[identity_cd_hash]`
`identity.team_id`	`principal.labels[team_id]` (deprecated)
`identity.team_id`	`additional.fields[team_id]`
`identity.signer_type`	`principal.labels[signer_type]` (deprecated)
`identity.signer_type`	`additional.fields[signer_type]`
`key`	`about.labels[key]` (deprecated)
`key`	`additional.fields[key]`
`return.error,return.description`	`security_result.description`	If the `return.error` and `return.description` log field values are not empty, then the `return.error-return.description` log fields are mapped to the `security_result.description` UDM field. Else, if the `return.error` log field value is not empty, then the `return.error` log field is mapped to the `security_result.description` UDM field. Else, if the `return.description` log field value is not empty, then the `return.description` log field is mapped to the `security_result.description` UDM field.
`return.return_value`	`security_result.detection_fields`
`subject.session_id`	`network.session_id`
`subject.group_id`	`principal.user.group_identifiers`	If the `header.event_name` log field value contains one of the following values, then the `subject.group_id` log field is mapped to the `target.user.group_identifiers` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.group_id` log field is mapped to the `principal.user.group_identifiers` UDM field.
`subject.effective_group_id`	`target.user.group_identifiers`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_group_id` log field is mapped to the `target.user.group_identifiers` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.group_name`	`principal.group.group_display_name`	If the `header.event_name` log field value contains one of the following values, then the `subject.group_name` log field is mapped to the `target.group.group_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.group_name` log field is mapped to the `principal.group.group_display_name` UDM field.
`subject.effective_group_name`	`target.group.group_display_name`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_group_name` log field is mapped to the `target.group.group_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.user_name`	`principal.user.user_display_name`	If the `header.event_name` log field value contains one of the following values, then the `subject.user_name` log field is mapped to the `target.user.user_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.user_name` log field is mapped to the `principal.user.user_display_name` UDM field.
`subject.effective_user_name`	`target.user.user_display_name`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_user_name` log field is mapped to the `target.user.user_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.user_id`	`principal.user.userid`	If the `header.event_name` log field value contains one of the following values, then the `subject.user_id` log field is mapped to the `target.user.userid` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.user_id` log field is mapped to the `principal.user.userid` UDM field.
`subject.effective_user_id`	`target.user.userid`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_user_id` log field is mapped to the `target.user.userid` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.audit_id`	`principal.labels[audit_id]` (deprecated)
`subject.audit_id`	`additional.fields[audit_id]`
`subject.responsible_process_id,metrics.tasks.pid`	`principal.process.pid`	If the `header.event_name` log field value is equal to `SYSTEM_PERFORMANCE_METRICS`, then the `metrics.tasks.pid` log field is mapped to the `principal.process.pid` UDM field. Else, the `subject.responsible_process_id` log field is mapped to the `principal.process.pid` UDM field.
`subject.process_id`	`principal.process_ancestors.pid`	If the `subject.responsible_process_id` log field value is not empty, then the `subject.process_id` log field is mapped to the `principal.process_ancestors.pid` UDM field. Else, the `subject.process_id` log field is mapped to the `principal.process.pid` UDM field.
`subject.audit_user_name`	`principal.labels[audit_user_name]` (deprecated)
`subject.audit_user_name`	`additional.fields[audit_user_name]`
`subject.process_name`	`principal.process_ancestors.file.full_path`	If the `subject.responsible_process_name` log field value is not empty, then the `subject.process_name` log field is mapped to the `principal.process_ancestors.file.full_path` UDM field. Else, the `subject.process_name` log field is mapped to the `principal.process.file.full_path` UDM field.
`subject.responsible_process_name`	`principal.process.file.full_path`
`subject.process_hash`	`principal.process.file.sha1`
`subject.terminal_id.type`	`principal.labels[type]` (deprecated)	If the `subject.terminal_id.type` log field value is equal to `4`, then the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `principal.labels.value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `principal.labels.value` UDM field is set to `6-IPv6`. Else, the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `subject.terminal_id.type` log field is mapped to the `principal.labels.value` UDM field.
`subject.terminal_id.type`	`additional.fields[type]`	If the `subject.terminal_id.type` log field value is equal to `4`, then the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `6-IPv6`. Else, the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `subject.terminal_id.type` log field is mapped to the `additional.fields.value.string_value` UDM field.
`subject.terminal_id.ip_address`	`principal.ip`
`subject.terminal_id.port`	`principal.port`
`texts`	`metadata.description`	If the `index` value is equal to `0`, then the `texts` log field is mapped to the `metadata.description` UDM field. Else, the `texts` log field is mapped to the `about.labels.value` UDM field.
`attributes.device`	`principal.asset.attribute.labels[device]`
`attributes.owner_group_name`	`about.group.group_display_name`
`attributes.owner_group_id`	`about.user.group_identifiers`
`attributes.owner_user_id`	`about.user.userid`
`attributes.owner_user_name`	`about.user.user_display_name`
`attributes.file_system_id`	`principal.labels[attributes_file_system_id]` (deprecated)
`attributes.file_system_id`	`additional.fields[attributes_file_system_id]`
`attributes.file_access_mode`	`principal.labels[attributes_file_access_mode]` (deprecated)
`attributes.file_access_mode`	`additional.fields[attributes_file_access_mode]`
`attributes.node_id`	`principal.asset.asset_id`
`path`	`about.labels[path]`
`arguments.cmd`	`principal.labels[arguments_cmd]` (deprecated)
`arguments.cmd`	`additional.fields[arguments_cmd]`
`arguments.policy`	`principal.labels[arguments_policy]` (deprecated)
`arguments.policy`	`additional.fields[arguments_policy]`
`arguments.length`	`principal.labels[arguments_length]` (deprecated)
`arguments.length`	`additional.fields[arguments_length]`
`_event_score`	`security_result.severity_details`
`architecture`	`principal.asset.hardware.cpu_model`
`arguments.addr`	`principal.labels[arguments_addr]` (deprecated)
`arguments.addr`	`additional.fields[arguments_addr]`
`arguments.am_failure`	`principal.labels[arguments_am_failure]` (deprecated)
`arguments.am_failure`	`additional.fields[arguments_am_failure]`
`arguments.am_success`	`principal.labels[arguments_am_success]` (deprecated)
`arguments.am_success`	`additional.fields[arguments_am_success]`
`arguments.authenticated_as_test`	`principal.labels[arguments_authenticated_as_test]` (deprecated)
`arguments.authenticated_as_test`	`additional.fields[arguments_authenticated_as_test]`
`arguments.child_PID`	`principal.labels[arguments_child_PID]` (deprecated)
`arguments.child_PID`	`additional.fields[arguments_child_PID]`
`arguments.data`	`principal.labels[arguments_data]` (deprecated)
`arguments.data`	`additional.fields[arguments_data]`
`arguments.domain`	`principal.labels[arguments_domain]` (deprecated)
`arguments.domain`	`additional.fields[arguments_domain]`
`arguments.fd`	`principal.labels[arguments_fd]` (deprecated)
`arguments.fd`	`additional.fields[arguments_fd]`
`arguments.flags`	`principal.labels[arguments_flags]` (deprecated)
`arguments.flags`	`additional.fields[arguments_flags]`
`arguments.authenticated_as_allen.golbig`	`principal.labels[authenticated_as_allen_golbig]` (deprecated)
`arguments.authenticated_as_allen.golbig`	`additional.fields[authenticated_as_allen_golbig]`
`arguments.known_UID_`	`principal.labels[argument_known_uid]` (deprecated)
`arguments.known_UID_`	`additional.fields[argument_known_uid]`
`arguments.pid`	`principal.labels[arguments_pid]` (deprecated)
`arguments.pid`	`additional.fields[arguments_pid]`
`arguments.port`	`principal.labels[arguments_port]` (deprecated)
`arguments.port`	`additional.fields[arguments_port]`
`arguments.priority`	`security_result.priority_details`
`arguments.process`	`principal.labels[argument_process]` (deprecated)
`arguments.process`	`additional.fields[argument_process]`
`arguments.protocol`	`principal.labels[argument_protocol]` (deprecated)
`arguments.protocol`	`additional.fields[argument_protocol]`
`arguments.request`	`principal.labels[argument_request]` (deprecated)
`arguments.request`	`additional.fields[argument_request]`
`arguments.sflags`	`principal.labels[arguments_sflags]` (deprecated)
`arguments.sflags`	`additional.fields[arguments_sflags]`
`arguments.signal`	`principal.labels[argument_signal]` (deprecated)
`arguments.signal`	`additional.fields[argument_signal]`
`arguments.target_port,process.terminal_id.port,socket_inet.port`	`target.port`	If the `header.event_name` log field value is equal to `AUE_KILL` or `AUE_TASKFORPID`, then the `process.port` log field is mapped to the `target.port` UDM field. Else, if the `header.event_name` log field value is equal to `AUE_BIND` or `AUE_CONNECT`, then the `socket_inet.port` log field is mapped to the `target.port` UDM field. Else, the `agument.target_port` log field is mapped to the `target.port` UDM field.
`arguments.task_port`	`principal.labels[task_port]` (deprecated)
`arguments.task_port`	`additional.fields[task_port]`
`arguments.type`	`principal.labels[argument_type]` (deprecated)
`arguments.type`	`additional.fields[argument_type]`
`arguments.which`	`principal.labels[which]` (deprecated)
`arguments.which`	`additional.fields[which]`
`arguments.who`	`principal.labels[who]` (deprecated)
`arguments.who`	`additional.fields[who]`
`bios_firmware_versions.booter-version`	`principal.asset.attribute.labels[booter_version]`
`bios_firmware_versions.firmware-features`	`principal.asset.attribute.labels[firmware_features]`
`bios_firmware_versions.firmware-version`	`principal.asset.attribute.labels[firmware_version]`
`bios_firmware_versions.release-date`	`principal.asset.attribute.labels[release_date]`
`bios_firmware_versions.rom-size`	`principal.asset.attribute.labels[rom_size]`
`bios_firmware_versions.system-firmware-version`	`principal.asset.attribute.labels[system_firmware_version]`
`bios_firmware_versions.vendor`	`principal.asset.attribute.labels[vendor]`
`bios_firmware_versions.version`	`principal.asset.attribute.labels[version]`
`exec_args.args_compiled`	`principal.process.command_line`
`exec_chain_parent.uuid`	`principal.labels[parent_uuid]` (deprecated)
`exec_chain_parent.uuid`	`additional.fields[parent_uuid]`
`exec_env.env_compiled`	`about.labels[env_compiled]` (deprecated)
`exec_env.env_compiled`	`additional.fields[env_compiled]`
`exec_env.env.PATH`	`about.labels[env_path]` (deprecated)
`exec_env.env.PATH`	`additional.fields[env_path]`
`exit.return_value`	`principal.labels[return_value]` (deprecated)
`exit.return_value`	`additional.fields[return_value]`
`exit.status`	`principal.labels[exit_status]` (deprecated)
`exit.status`	`additional.fields[exit_status]`
`process.audit_id`	`about.labels[process_audit_id]` (deprecated)
`process.audit_id`	`additional.fields[process_audit_id]`
`process.audit_user_name`	`about.labels[audit_user_name]` (deprecated)
`process.audit_user_name`	`additional.fields[audit_user_name]`
`process.group_idprocess.effective_group_id`	`about.user.group_identifiers`
`process.group_name`	`about.group.group_display_name`
`process.process_hash`	`target.process.file.sha1`
`process.process_id`	`target.process.pid`
`process.process_name`	`target.process.file.full_path`
`process.session_id`	`target.labels[process_session_id]` (deprecated)
`process.session_id`	`additional.fields[process_session_id]`
`process.terminal_id.addr`	`target.labels[addr]`
`process.terminal_id.ip_address`	`target.ip`
`process.terminal_id.type`	`target.labels[process_terminal_id_type]` (deprecated)	If the `process.terminal_id.type` log field value is equal to `4`, then the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `target.labels.value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `target.labels.value` UDM field is set to `6-IPv6`. Else, the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `process.terminal_id.type` log field is mapped to the `target.labels.value` UDM field.
`process.terminal_id.type`	`additional.fields[process_terminal_id_type]`	If the `process.terminal_id.type` log field value is equal to `4`, then the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `6-IPv6`. Else, the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `process.terminal_id.type` log field is mapped to the `additional.fields.value.string_value` UDM field.
`process.user_id`	`about.user.userid`
`process.user_name`	`about.user.user_display_name`
`rateLimitingSeconds`	`about.labels[rate_limiting_seconds]` (deprecated)
`rateLimitingSeconds`	`additional.fields[rate_limiting_seconds]`
`socket_inet.family`	`target.labels[socket_inet_family]` (deprecated)
`socket_inet.family`	`additional.fields[socket_inet_family]`
`socket_inet.id`	`target.labels[socket_inet_id]` (deprecated)	If the `socket_inet.id` log field value is equal to `128`, then the `target.labels.key` UDM field is set to `socket_inet_id` and the `target.labels.value` UDM field is set to `128-IPv4`. Else, if the `socket_inet.id` log field value is equal to `129`, then the `target.labels.key` UDM field is set to `socket_inet_id` and the `target.labels.value` UDM field is set to `129-IPv6`. Else, the `target.labels.key` UDM field is set to `socket_inet_id` and the `socket_inet.ip` log field is mapped to the `target.labels.value` UDM field.
`socket_inet.id`	`additional.fields[socket_inet_id]`	If the `socket_inet.id` log field value is equal to `128`, then the `additional.fields.key` UDM field is set to `socket_inet_id` and the `additional.fields.value.string_value` UDM field is set to `128-IPv4`. Else, if the `socket_inet.id` log field value is equal to `129`, then the `additional.fields.key` UDM field is set to `socket_inet_id` and the `additional.fields.value.string_value` UDM field is set to `129-IPv6`. Else, the `additional.fields.key` UDM field is set to `socket_inet_id` and the `socket_inet.ip` log field is mapped to the `additional.fields.value.string_value` UDM field.
`socket_inet.ip_address`	`target.ip`
`socket_unix.family`	`target.labels[socket_unix_family]` (deprecated)
`socket_unix.family`	`additional.fields[socket_unix_family]`
`socket_unix.path`	`target.file.full_path`
`subject.terminal_id.addr`	`target.labels[addr]`
`metrics.hw_model`	`principal.asset.hardware.model`
`metrics.tasks.bytes_received`	`network.received_bytes`	If the `index` value is equal to `0`, then the `metrics.tasks.bytes_received` log field is mapped to the `network.received_bytes` UDM field. Else, the `metrics.tasks.bytes_received` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.bytes_received_per_s`	`principal.asset.attribute.labels[bytes_received_per_s]`
`metrics.tasks.bytes_sent`	`network.sent_bytes`	If the `index` value is equal to `0`, then the `metrics.tasks.bytes_sent` log field is mapped to the `network.sent_bytes` UDM field. Else, the `metrics.tasks.bytes_sent` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.bytes_sent_per_s`	`principal.asset.attribute.labels[bytes_sent_per_s]`
`metrics.tasks.cputime_ms_per_s`	`principal.asset.attribute.labels[cputime_ms_per_s]`
`metrics.tasks.cputime_ns`	`principal.asset.attribute.labels[cputime_ns]`
`metrics.tasks.cputime_sample_ms_per_s`	`principal.asset.attribute.labels[cputime_sample_ms_per_s]`
`metrics.tasks.cputime_userland_ratio`	`principal.asset.attribute.labels[cputime_userland_ratio]`
`metrics.tasks.diskio_bytesread`	`principal.asset.attribute.labels[diskio_bytesread]`
`metrics.tasks.diskio_bytesread_per_s`	`principal.asset.attribute.labels[diskio_bytesread_per_s]`
`metrics.tasks.diskio_byteswritten`	`principal.asset.attribute.labels[diskio_byteswritten]`
`metrics.tasks.diskio_byteswritten_per_s`	`principal.asset.attribute.labels[diskio_byteswritten_per_s]`
`metrics.tasks.energy_impact`	`principal.asset.attribute.labels[energy_impact]`
`metrics.tasks.energy_impact_per_s`	`principal.asset.attribute.labels[energy_impact_per_s]`
`metrics.tasks.idle_wakeups`	`principal.asset.attribute.labels[idle_wakeups]`
`metrics.tasks.interval_ns`	`principal.asset.attribute.labels[interval_ns]`
`metrics.tasks.intr_wakeups_per_s`	`principal.asset.attribute.labels[intr_wakeups_per_s]`
`metrics.tasks.name`	`principal.asset.attribute.labels[name]`
`metrics.tasks.packets_received`	`network.received_packets`	If the `index` value is equal to `0`, then the `metrics.tasks.packets_received` log field is mapped to the `network.received_packets` UDM field. Else, the `metrics.tasks.packets_received` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.packets_received_per_s`	`principal.asset.attribute.labels[packets_received_per_s]`
`metrics.tasks.packets_sent`	`network.sent_packets`	If the `index` value is equal to `0`, then the `metrics.tasks.packets_sent` log field is mapped to the `network.sent_packets` UDM field. Else, the `metrics.tasks.packets_sent` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.packets_sent_per_s`	`principal.asset.attribute.labels[packets_sent_per_s]`
`metrics.tasks.pageins`	`principal.asset.attribute.labels[pageins]`
`metrics.tasks.pageins_per_s`	`principal.asset.attribute.labels[pageins_per_s]`
`metrics.tasks.qos_background_ms_per_s`	`principal.asset.attribute.labels[qos_background_ms_per_s]`
`metrics.tasks.qos_background_ns`	`principal.asset.attribute.labels[qos_background_ns]`
`metrics.tasks.qos_default_ms_per_s`	`principal.asset.attribute.labels[qos_default_ms_per_s]`
`metrics.tasks.qos_default_ns`	`principal.asset.attribute.labels[qos_default_ns]`
`metrics.tasks.qos_disabled_ms_per_s`	`principal.asset.attribute.labels[qos_disabled_ms_per_s]`
`metrics.tasks.qos_disabled_ns`	`principal.asset.attribute.labels[qos_disabled_ns]`
`metrics.tasks.qos_maintenance_ms_per_s`	`principal.asset.attribute.labels[qos_maintenance_ms_per_s]`
`metrics.tasks.qos_maintenance_ns`	`principal.asset.attribute.labels[qos_maintenance_ns]`
`metrics.tasks.qos_user_initiated_ms_per_s`	`principal.asset.attribute.labels[qos_user_initiated_ms_per_s]`
`metrics.tasks.qos_user_initiated_ns`	`principal.asset.attribute.labels[qos_user_initiated_ns]`
`metrics.tasks.qos_user_interactive_ms_per_s`	`principal.asset.attribute.labels[qos_user_interactive_ms_per_s]`
`metrics.tasks.qos_user_interactive_ns`	`principal.asset.attribute.labels[qos_user_interactive_ns]`
`metrics.tasks.qos_utility_ms_per_s`	`principal.asset.attribute.labels[qos_utility_ms_per_s]`
`metrics.tasks.qos_utility_ns`	`principal.asset.attribute.labels[qos_utility_ns]`
`metrics.tasks.started_abstime_ns`	`principal.asset.attribute.labels[started_abstime_ns]`
`metrics.tasks.timer_wakeups.wakeups`	`principal.asset.attribute.labels[timer_wakeups]`
`page_info.page`	`about.labels[page_info_page]` (deprecated)
`page_info.page`	`additional.fields[page_info_page]`
`page_info.total`	`about.labels[page_info_total]` (deprecated)
`page_info.total`	`additional.fields[page_info_total]`
`exec_env.env._`	`about.labels[env]` (deprecated)
`exec_env.env._`	`additional.fields[env]`
`exec_env.env.__CF_USER_TEXT_ENCODING`	`about.labels[env__CF_USER_TEXT_ENCODING]` (deprecated)
`exec_env.env.__CF_USER_TEXT_ENCODING`	`additional.fields[env__CF_USER_TEXT_ENCODING]`
`exec_env.env.__CFBundleIdentifier`	`about.labels[env__CFBundleIdentifier]` (deprecated)
`exec_env.env.__CFBundleIdentifier`	`additional.fields[env__CFBundleIdentifier]`
`exec_env.env.ASDF_DIR`	`about.labels[env_ASDF_DIR]` (deprecated)
`exec_env.env.ASDF_DIR`	`additional.fields[env_ASDF_DIR]`
`exec_env.env.HOME`	`about.labels[env_HOME]` (deprecated)
`exec_env.env.HOME`	`additional.fields[env_HOME]`
`exec_env.env.LANG`	`about.labels[env_LANG]` (deprecated)
`exec_env.env.LANG`	`additional.fields[env_LANG]`
`exec_env.env.LC_TERMINAL`	`about.labels[env_LC_TERMINAL]` (deprecated)
`exec_env.env.LC_TERMINAL`	`additional.fields[env_LC_TERMINAL]`
`exec_env.env.LC_TERMINAL_VERSION`	`about.labels[env_LC_TERMINAL_VERSION]` (deprecated)
`exec_env.env.LC_TERMINAL_VERSION`	`additional.fields[env_LC_TERMINAL_VERSION]`
`exec_env.env.MAIL`	`about.labels[env_MAIL]` (deprecated)
`exec_env.env.MAIL`	`additional.fields[env_MAIL]`
`exec_env.env.MallocSpaceEfficient`	`about.labels[env_MallocSpaceEfficient]` (deprecated)
`exec_env.env.MallocSpaceEfficient`	`additional.fields[env_MallocSpaceEfficient]`
`exec_env.env.OLDPWD`	`about.labels[env_OLDPWD]` (deprecated)
`exec_env.env.OLDPWD`	`additional.fields[env_OLDPWD]`
`exec_env.env.PWD`	`about.file.full_path`
`exec_env.env.SHELL`	`about.labels[env_SHELL]` (deprecated)
`exec_env.env.SHELL`	`additional.fields[env_SHELL]`
`exec_env.env.SHLVL`	`about.labels[env_SHLVL]` (deprecated)
`exec_env.env.SHLVL`	`additional.fields[env_SHLVL]`
`exec_env.env.SSH_AUTH_SOCK`	`about.labels[env_SSH_AUTH_SOCK]` (deprecated)
`exec_env.env.SSH_AUTH_SOCK`	`additional.fields[env_SSH_AUTH_SOCK]`
`exec_env.env.SSH_CLIENT`	`about.labels[env_SSH_CLIENT]` (deprecated)
`exec_env.env.SSH_CLIENT`	`additional.fields[env_SSH_CLIENT]`
`exec_env.env.SSH_CONNECTION`	`about.labels[env_SSH_CONNECTION]` (deprecated)
`exec_env.env.SSH_CONNECTION`	`additional.fields[env_SSH_CONNECTION]`
`exec_env.env.SSH_TTY`	`about.labels[env_SSH_TTY]` (deprecated)
`exec_env.env.SSH_TTY`	`additional.fields[env_SSH_TTY]`
`exec_env.env.SUDO_COMMAND`	`about.labels[env_SUDO_COMMAND]` (deprecated)
`exec_env.env.SUDO_COMMAND`	`additional.fields[env_SUDO_COMMAND]`
`exec_env.env.SUDO_GID`	`about.user.group_identifiers`
`exec_env.env.SUDO_UID`	`about.user.userid`
`exec_env.env.SUDO_USER`	`about.user.user_display_name`
`exec_env.env.TERM`	`about.labels[env_TERM]` (deprecated)
`exec_env.env.TERM`	`additional.fields[env_TERM]`
`exec_env.env.LOGNAME`	`about.labels[env_LOGNAME]` (deprecated)
`exec_env.env.LOGNAME`	`additional.fields[env_LOGNAME]`
`exec_env.env.USER`	`about.labels[env_USER]` (deprecated)
`exec_env.env.USER`	`additional.fields[env_USER]`
`exec_env.env.TERM_PROGRAM`	`about.labels[env_TERM_PROGRAM]` (deprecated)
`exec_env.env.TERM_PROGRAM`	`additional.fields[env_TERM_PROGRAM]`
`exec_env.env.TERM_PROGRAM_VERSION`	`about.labels[env_TERM_PROGRAM_VERSION]` (deprecated)
`exec_env.env.TERM_PROGRAM_VERSION`	`additional.fields[env_TERM_PROGRAM_VERSION]`
`exec_env.env.TERM_SESSION_ID`	`about.labels[env_TERM_SESSION_ID]` (deprecated)
`exec_env.env.TERM_SESSION_ID`	`additional.fields[env_TERM_SESSION_ID]`
`exec_env.env.TMPDIR`	`about.labels[env_TMPDIR]` (deprecated)
`exec_env.env.TMPDIR`	`additional.fields[env_TMPDIR]`
`exec_env.env.XPC_FLAGS`	`about.labels[env_XPC_FLAGS]` (deprecated)
`exec_env.env.XPC_FLAGS`	`additional.fields[env_XPC_FLAGS]`
`exec_env.env.XPC_SERVICE_NAME`	`about.labels[env_XPC_SERVICE_NAME]` (deprecated)
`exec_env.env.XPC_SERVICE_NAME`	`additional.fields[env_XPC_SERVICE_NAME]`
	`target.resource.resource_type`	If the `header.event_name` log field value is equal to `AUE_GETAUID`, then the `target.resource.resource_type` UDM field is set to `TASK`. Else, if the `header.event_name` log field value is equal to `AUE_SETPRIORITY or AUE_SETTIMEOFDAY`, then the `target.resource.resource_type` UDM field is set to `SETTING`.
	`extensions.auth.mechanism`	If the `header.event_name` log field value contains one of the following values, then the `mechanism` UDM field is set to `USERNAME_PASSWORD`: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`

Passaggi successivi

Importazione dei dati in Google Security Operations

Hai bisogno di ulteriore assistenza? Ricevi risposte dai membri della community e dai professionisti di Google SecOps.