收集 Jamf Protect 遥测日志
支持的语言:
Google SecOps
SIEM
本文档介绍了如何通过设置 Google Security Operations Feed 来收集 Jamf Protect 遥测日志,以及日志字段如何映射到 Google Security Operations Unified Data Model (UDM) 字段。本文档还列出了受支持的 Jamf Protect 遥测版本。
如需了解详情,请参阅将数据注入 Google Security Operations。
典型部署包括 Jamf Protect 遥测和配置为将日志发送到 Google Security Operations 的 Google Security Operations Feed。每个客户部署都可能有所不同,并且可能更复杂。
部署包含以下组件:
Jamf Protect 遥测。您要从中收集日志的 Jamf Protect 遥测平台。
Google Security Operations Feed。从 Jamf Protect 遥测数据中提取日志并将其写入 Google Security Operations 的 Google Security Operations Feed。
Google Security Operations。Google Security Operations 会保留并分析来自 Jamf Protect 遥测数据的日志。
注入标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 JAMF_TELEMETRY 注入标签的解析器。
准备工作
确保您满足以下前提条件:
- Jamf Protect 遥测设置
- Jamf Protect 4.0.0 版或更高版本
- 部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。
设置 Feed
您可以通过两种不同的入口点在 Google SecOps 平台中设置 Feed:
- SIEM 设置 > Feed
- 内容中心 > 内容包
通过“SIEM 设置”>“Feed”设置 Feed
您可以使用 Amazon S3 或 Webhook 在 Google Security Operations 中设置提取 Feed,但我们建议使用 Amazon S3。
使用 Amazon S3 在 Google SecOps 中设置注入 Feed
如需为相应产品系列中的不同日志类型配置多个 Feed,请参阅按产品配置 Feed。
如需配置单个 Feed,请按以下步骤操作:
- 依次前往 SIEM 设置> Feed。
- 点击添加新 Feed。
- 在下一页上,点击配置单个 Feed。
- 在 Feed 名称字段中,输入 Feed 的名称,例如 Jamf 遥测日志。
- 选择 Amazon S3 作为来源类型。
- 如需为 Jamf Protect Telemetry 创建 Feed,请选择 Jamf Protect Telemetry 作为日志类型。
- 点击下一步。
- 保存信息流,然后点击提交。
- 从 Feed 名称中复制 Feed ID,以便在 Jamf Protect Telemetry 中使用。
使用 Webhook 在 Google SecOps 中设置注入 Feed
仅限 Google Security Operations 统一版客户:
如需在此产品系列中为不同类型的日志配置多个 Feed,请参阅配置多个 Feed。
对于所有客户:
如需配置单个 Feed,请按以下步骤操作:
- 依次前往 SIEM 设置> Feed。
- 点击添加新 Feed。
- 在下一页上,点击配置单个 Feed。如果您使用的是 Google SecOps SIEM 独立平台,请跳过此步骤。
- 在 Feed 名称字段中,输入 Feed 的名称,例如 Jamf 遥测日志。
- 在来源类型列表中,选择 Webhook。
- 如需为 Jamf Protect Telemetry 创建 Feed,请选择 Jamf Protect Telemetry 作为日志类型。
- 点击下一步。
- 可选:为以下输入参数指定值:
- 拆分分隔符:用于分隔日志行的分隔符,例如
\n。 - 资源命名空间:资源命名空间。
- 注入标签:要应用于此 Feed 中事件的标签。
- 拆分分隔符:用于分隔日志行的分隔符,例如
- 点击下一步。
- 在最终确定界面中查看新的 Feed 配置,然后点击提交。
- 点击生成密钥,生成用于对此 Feed 进行身份验证的密钥。
- 复制并存储密钥。您将无法再次查看此密钥。如有需要,您可以重新生成新的 Secret 密钥,但此操作会使之前的 Secret 密钥失效。
- 在详情标签页中,从端点信息字段复制 Feed 端点网址。您需要使用此 HTTPS 网址来设置 Jamf Protect 遥测客户端应用。
- 点击完成。
设置来自内容中心的 Feed
为以下字段指定值:
- 区域:Amazon S3 存储桶所在的区域。
- S3 URI:存储桶 URI。
s3://your-log-bucket-name/- 将
your-log-bucket-name替换为您的 S3 存储桶的实际名称。
- 将
- URI is a:根据您的存储桶结构,选择目录或目录(包括子目录)。
- 源删除选项:根据您的提取偏好设置选择删除选项。
访问密钥 ID:有权从 S3 存储桶读取数据的用户的访问密钥。
私有访问密钥:具有从 S3 存储桶读取权限的用户的私有密钥。
高级选项
- Feed 名称:用于标识 Feed 的预填充值。
- 来源类型:用于将日志收集到 Google SecOps 中的方法。
- 资产命名空间:与 Feed 关联的命名空间。
- 提取标签:应用于相应 Feed 中所有事件的标签。
为网络钩子 Feed 创建 API 密钥
依次前往 Google Cloud 控制台 > 凭据。
点击创建凭据,然后选择 API 密钥。
将 API 密钥访问权限限制为 Google Security Operations API。
为网络钩子 Feed 设置 Jamf Protect 遥测
- 在 Jamf Protect Telemetry 应用中,前往相关的操作配置。
- 如需添加新的数据端点,请点击创建操作。
- 选择 HTTP 作为协议。
- 在网址字段中,输入 Google Security Operations API 端点的 HTTPS 网址。(这是您从网络钩子 Feed 设置中复制的端点信息字段。它已经采用所需格式。)
通过在自定义标头中指定 API 密钥和密钥来启用身份验证,格式如下:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRET建议:将 API 密钥指定为标头,而不是在网址中指定。如果您的 Webhook 客户端不支持自定义标头,您可以使用以下格式的查询参数指定 API 密钥和密钥:
ENDPOINT_URL?key=API_KEY&secret=SECRET替换以下内容:
ENDPOINT_URL:Feed 端点网址。API_KEY:用于向 Google Security Operations 进行身份验证的 API 密钥。SECRET:您生成的用于对 Feed 进行身份验证的密钥。
在收集日志部分,选择遥测。
点击提交。
如需详细了解 Google Security Operations Feed,请参阅 Google Security Operations Feed 文档。如需了解每种 Feed 类型的要求,请参阅按类型划分的 Feed 配置。
如果您在创建 Feed 时遇到问题,请与 Google Security Operations 支持团队联系。
支持的 Jamf Protect 遥测日志类型
Jamf Protect 遥测解析器支持以下日志类型:
Event Type
- AUE_add_to_group
- AUE_AUDITCTL
- AUE_AUDITON_SPOLICY
- AUE_AUTH_USER
- AUE_BIND
- AUE_BIOS_FIRMWARE_VERSIONS
- AUE_CHDIR
- AUE_CHROOT
- AUE_CONNECT
- AUE_create_group
- AUE_delete_group
- AUE_create_user
- AUE_delete_user
- AUE_EXECVE
- AUE_EXIT
- AUE_FORK
- AUE_GETAUID
- AUE_KILL
- AUE_LISTEN
- AUE_LOGOUT
- AUE_LW_LOGIN
- AUE_MAC_SET_PROC
- AUE_modify_group
- AUE_modify_password
- AUE_modify_user
- AUE_MOUNT
- AUE_openssh
- AUE_PIDFORTASK
- AUE_POSIX_SPAWN
- AUE_REMOVE_FROM_GROUP
- AUE_SESSION_CLOSE
- AUE_SESSION_END
- AUE_SESSION_START
- AUE_SESSION_UPDATE
- AUE_SETPRIORITY
- AUE_SETSOCKOPT
- AUE_SETTIMEOFDAY
- AUE_SHUTDOWN
- AUE_SOCKETPAIR
- AUE_SSAUTHINT
- AUE_SSAUTHMECH
- AUE_SSAUTHORIZE
- AUE_TASKFORPID
- AUE_TASKNAMEFORPID
- AUE_UNMOUNT
- AUE_WAIT4
- PLAINTEXT_LOG_COLLECTION_EVENT
- SYSTEM_PERFORMANCE_METRICS
支持的 Jamf Protect 遥测日志格式
Jamf Protect 遥测解析器支持 JSON 格式的日志。
支持的 Jamf Protect 遥测样本日志
JSON
{ "exec_chain": { "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E" }, "exec_chain_child": { "parent_path": "/sbin/launchd", "parent_pid": 1, "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02" }, "header": { "time_seconds_epoch": 1657906179, "time_milliseconds_offset": 848, "version": 11, "event_modifier": 0, "event_id": 45018, "event_name": "AUE_add_to_group" }, "host_info": { "serial_number": "C03WG0H4HDTS", "host_name": "Test_MacBook_Pro", "osversion": "Version 12.4 (Build 21F79)", "host_uuid": "8891C1E2-0AC0-4E4A-844B-EA491B14D115" }, "identity": { "signer_id": "dummy.domain.opendirectoryd", "team_id_truncated": false, "signer_id_truncated": false, "cd_hash": "68d22bdec020f20010bfa9d27cd5f69d78427636", "team_id": "", "signer_type": 1 }, "key": "21E48D3B-4965-4072-81BF-83BE04A329C2", "return": { "error": 0, "description": "success", "return_value": 0 }, "subject": { "session_id": 100003, "group_id": 20, "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice", "parent_pid": 1, "effective_user_name": "jamf", "user_id": 501, "group_name": "staff", "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02", "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E", "effective_group_id": 20, "process_hash": "507494616e05a5eb909794354fe69f29e432f2a7", "audit_id": 501, "responsible_process_id": 1391, "parent_path": "/sbin/launchd", "process_id": 1701, "effective_group_name": "staff", "audit_user_name": "jamf", "effective_user_id": 501, "terminal_id": { "type": 4, "ip_address": "198.51.100.0", "port": 4278 }, "responsible_process_name": "/System/Applications/System Preferences.app/Contents/MacOS/System Preferences", "user_name": "jamf" }, "texts": [ "Added Groups membership username to '_lpadmin' node '/Local/Default', value = 'baddie'" ] }
字段映射参考
本部分介绍 Google Security Operations 解析器如何将 Jamf Protect 遥测字段映射到 Google Security Operations Unified Data Model (UDM) 字段。
字段映射参考信息:事件标识符到事件类型
下表列出了JAMF_TELEMETRY 日志类型及其对应的 UDM 事件类型。
| Event Identifier | Event Type |
|---|---|
AUE_add_to_group |
GROUP_MODIFICATION |
AUE_AUDITCTL |
RESOURCE_READ |
AUE_AUDITON_SPOLICY |
RESOURCE_READ |
AUE_AUTH_USER |
USER_LOGIN |
AUE_BIND |
NETWORK_CONNECTION |
AUE_BIOS_FIRMWARE_VERSIONS |
USER_RESOURCE_ACCESS |
AUE_CHDIR |
USER_RESOURCE_ACCESS |
AUE_CHROOT |
USER_RESOURCE_ACCESS |
AUE_CONNECT |
NETWORK_CONNECTION |
AUE_create_group |
GROUP_CREATION |
AUE_delete_group |
GROUP_DELETION |
AUE_create_user |
USER_CREATION |
AUE_delete_user |
USER_DELETION |
AUE_EXECVE |
PROCESS_LAUNCH |
AUE_EXIT |
PROCESS_TERMINATION |
AUE_FORK |
PROCESS_LAUNCH |
AUE_GETAUID |
SCHEDULED_TASK_CREATION |
AUE_KILL |
PROCESS_TERMINATION |
AUE_LISTEN |
NETWORK_CONNECTION |
AUE_LOGOUT |
USER_LOGOUT |
AUE_LW_LOGIN |
USER_LOGIN |
AUE_MAC_SET_PROC |
PROCESS_UNCATEGORIZED |
AUE_modify_group |
GROUP_MODIFICATION |
AUE_modify_password |
USER_CHANGE_PASSWORD |
AUE_modify_user |
USER_UNCATEGORIZED |
AUE_MOUNT |
RESOURCE_READ |
AUE_openssh |
USER_LOGIN |
AUE_PIDFORTASK |
PROCESS_LAUNCH |
AUE_POSIX_SPAWN |
PROCESS_LAUNCH |
AUE_REMOVE_FROM_GROUP |
GROUP_MODIFICATION |
AUE_SESSION_CLOSE |
USER_LOGOUT |
AUE_SESSION_END |
USER_LOGOUT |
AUE_SESSION_START |
USER_LOGIN |
AUE_SESSION_UPDATE |
USER_UNCATEGORIZED |
AUE_SETPRIORITY |
SETTING_MODIFICATION |
AUE_SETSOCKOPT |
NETWORK_CONNECTION |
AUE_SETTIMEOFDAY |
SETTING_MODIFICATION |
AUE_SHUTDOWN |
STATUS_SHUTDOWN |
AUE_SOCKETPAIR |
NETWORK_CONNECTION |
AUE_SSAUTHINT |
USER_LOGIN |
AUE_SSAUTHMECH |
USER_LOGIN |
AUE_SSAUTHORIZE |
USER_LOGIN |
AUE_TASKFORPID |
PROCESS_INJECTION |
AUE_TASKNAMEFORPID |
PROCESS_INJECTION |
AUE_UNMOUNT |
RESOURCE_READ |
AUE_WAIT4 |
PROCESS_UNCATEGORIZED |
PLAINTEXT_LOG_COLLECTION_EVENT |
GENERIC_EVENT |
SYSTEM_PERFORMANCE_METRICS |
GENERIC_EVENT |
字段映射参考信息:JAMF_TELEMETRY
下表列出了JAMF_TELEMETRY 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_TELEMETRY. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF. |
header.time_seconds_epoch |
metadata.event_timestamp |
|
header.time_milliseconds_offset |
about.labels[time_milliseconds_offset] (deprecated) |
|
header.time_milliseconds_offset |
additional.fields[time_milliseconds_offset] |
|
header.version |
about.labels[header_version] (deprecated) |
|
header.version |
additional.fields[header_version] |
|
header.event_modifier |
about.labels[event_modifier] (deprecated) |
|
header.event_modifier |
additional.fields[event_modifier] |
|
header.event_uuid |
metadata.product_log_id |
|
header.event_name,header.event_id |
metadata.product_event_type |
If the header.event_name and header.event_id log field values are not empty, then the header.event_name-header.event_id log fields are mapped to the metadata.product_event_type UDM field.Else, if the header.event_name log field value is not empty, then the header.event_name log field is mapped to the metadata.product_event_type UDM field. Else, if the header.event_id log field value is not empty, then the header.event_id log field is mapped to the metadata.product_event_type UDM field. |
exec_chain.thread_uuid |
principal.labels[exec_chain_thread_uuid] (deprecated) |
|
exec_chain.thread_uuid |
additional.fields[exec_chain_thread_uuid] |
|
exec_chain.uuid |
principal.labels[exec_chain_uuid] (deprecated) |
|
exec_chain.uuid |
additional.fields[exec_chain_uuid] |
|
exec_chain_child.parent_path |
principal.process.parent_process.file.full_path |
|
exec_chain_child.parent_pid |
principal.process.parent_process.pid |
|
exec_chain_child.parent_uuidsubject.parent (deprecated) |
principal.labels[exec_chain_child_parent_uuid] |
|
exec_chain_child.parent_uuid |
additional.fields[exec_chain_child_parent_uuid] |
|
host_info.serial_number |
principal.asset.hardware.serial_number |
|
host_info.host_name |
principal.hostname |
|
host_info.osversion |
principal.asset.software.version |
|
host_info.host_uuid |
principal.asset.product_object_id |
|
host_info.primary_mac_address |
principal.asset.mac |
|
identity.signer_id |
principal.labels[identity_signer_id] (deprecated) |
|
identity.signer_id |
additional.fields[identity_signer_id] |
|
identity.team_id_truncated |
principal.labels[identity_team_id_truncated] (deprecated) |
|
identity.team_id_truncated |
additional.fields[identity_team_id_truncated] |
|
identity.signer_id_truncated |
principal.labels[identity_signer_id_truncated] (deprecated) |
|
identity.signer_id_truncated |
additional.fields[identity_signer_id_truncated] |
|
identity.cd_hash |
principal.labels[identity_cd_hash] (deprecated) |
|
identity.cd_hash |
additional.fields[identity_cd_hash] |
|
identity.team_id |
principal.labels[team_id] (deprecated) |
|
identity.team_id |
additional.fields[team_id] |
|
identity.signer_type |
principal.labels[signer_type] (deprecated) |
|
identity.signer_type |
additional.fields[signer_type] |
|
key |
about.labels[key] (deprecated) |
|
key |
additional.fields[key] |
|
return.error,return.description |
security_result.description |
If the return.error and return.description log field values are not empty, then the return.error-return.description log fields are mapped to the security_result.description UDM field.Else, if the return.error log field value is not empty, then the return.error log field is mapped to the security_result.description UDM field. Else, if the return.description log field value is not empty, then the return.description log field is mapped to the security_result.description UDM field. |
return.return_value |
security_result.detection_fields |
|
subject.session_id |
network.session_id |
|
subject.group_id |
principal.user.group_identifiers |
If the header.event_name log field value contains one of the following values, then the subject.group_id log field is mapped to the target.user.group_identifiers UDM field:
Else, the subject.group_id log field is mapped to the principal.user.group_identifiers UDM field.
|
subject.effective_group_id |
target.user.group_identifiers |
If the header.event_name log field value does not contain one of the following values, then the subject.effective_group_id log field is mapped to the target.user.group_identifiers UDM field:
|
subject.group_name |
principal.group.group_display_name |
If the header.event_name log field value contains one of the following values, then the subject.group_name log field is mapped to the target.group.group_display_name UDM field:
Else, the subject.group_name log field is mapped to the principal.group.group_display_name UDM field.
|
subject.effective_group_name |
target.group.group_display_name |
If the header.event_name log field value does not contain one of the following values, then the subject.effective_group_name log field is mapped to the target.group.group_display_name UDM field:
|
subject.user_name |
principal.user.user_display_name |
If the header.event_name log field value contains one of the following values, then the subject.user_name log field is mapped to the target.user.user_display_name UDM field:
Else, the subject.user_name log field is mapped to the principal.user.user_display_name UDM field.
|
subject.effective_user_name |
target.user.user_display_name |
If the header.event_name log field value does not contain one of the following values, then the subject.effective_user_name log field is mapped to the target.user.user_display_name UDM field:
|
subject.user_id |
principal.user.userid |
If the header.event_name log field value contains one of the following values, then the subject.user_id log field is mapped to the target.user.userid UDM field:
Else, the subject.user_id log field is mapped to the principal.user.userid UDM field.
|
subject.effective_user_id |
target.user.userid |
If the header.event_name log field value does not contain one of the following values, then the subject.effective_user_id log field is mapped to the target.user.userid UDM field:
|
subject.audit_id |
principal.labels[audit_id] (deprecated) |
|
subject.audit_id |
additional.fields[audit_id] |
|
subject.responsible_process_id,metrics.tasks.pid |
principal.process.pid |
If the header.event_name log field value is equal to SYSTEM_PERFORMANCE_METRICS, then the metrics.tasks.pid log field is mapped to the principal.process.pid UDM field. Else, the subject.responsible_process_id log field is mapped to the principal.process.pid UDM field. |
subject.process_id |
principal.process_ancestors.pid |
If the subject.responsible_process_id log field value is not empty, then the subject.process_id log field is mapped to the principal.process_ancestors.pid UDM field. Else, the subject.process_id log field is mapped to the principal.process.pid UDM field. |
subject.audit_user_name |
principal.labels[audit_user_name] (deprecated) |
|
subject.audit_user_name |
additional.fields[audit_user_name] |
|
subject.process_name |
principal.process_ancestors.file.full_path |
If the subject.responsible_process_name log field value is not empty, then the subject.process_name log field is mapped to the principal.process_ancestors.file.full_path UDM field. Else, the subject.process_name log field is mapped to the principal.process.file.full_path UDM field. |
subject.responsible_process_name |
principal.process.file.full_path |
|
subject.process_hash |
principal.process.file.sha1 |
|
subject.terminal_id.type |
principal.labels[type] (deprecated) |
If the subject.terminal_id.type log field value is equal to 4, then the principal.labels.key UDM field is set to subject_terminal_id_type and the principal.labels.value UDM field is set to 4-IPv4.Else, if the subject.terminal_id.type log field value is equal to 6, then the principal.labels.key UDM field is set to subject_terminal_id_type and the principal.labels.value UDM field is set to 6-IPv6. Else, the principal.labels.key UDM field is set to subject_terminal_id_type and the subject.terminal_id.type log field is mapped to the principal.labels.value UDM field. |
subject.terminal_id.type |
additional.fields[type] |
If the subject.terminal_id.type log field value is equal to 4, then the additional.fields.key UDM field is set to subject_terminal_id_type and the additional.fields.value.string_value UDM field is set to 4-IPv4.Else, if the subject.terminal_id.type log field value is equal to 6, then the additional.fields.key UDM field is set to subject_terminal_id_type and the additional.fields.value.string_value UDM field is set to 6-IPv6. Else, the additional.fields.key UDM field is set to subject_terminal_id_type and the subject.terminal_id.type log field is mapped to the additional.fields.value.string_value UDM field. |
subject.terminal_id.ip_address |
principal.ip |
|
subject.terminal_id.port |
principal.port |
|
texts |
metadata.description |
If the index value is equal to 0, then the texts log field is mapped to the metadata.description UDM field.Else, the texts log field is mapped to the about.labels.value UDM field. |
attributes.device |
principal.asset.attribute.labels[device] |
|
attributes.owner_group_name |
about.group.group_display_name |
|
attributes.owner_group_id |
about.user.group_identifiers |
|
attributes.owner_user_id |
about.user.userid |
|
attributes.owner_user_name |
about.user.user_display_name |
|
attributes.file_system_id |
principal.labels[attributes_file_system_id] (deprecated) |
|
attributes.file_system_id |
additional.fields[attributes_file_system_id] |
|
attributes.file_access_mode |
principal.labels[attributes_file_access_mode] (deprecated) |
|
attributes.file_access_mode |
additional.fields[attributes_file_access_mode] |
|
attributes.node_id |
principal.asset.asset_id |
|
path |
about.labels[path] |
|
arguments.cmd |
principal.labels[arguments_cmd] (deprecated) |
|
arguments.cmd |
additional.fields[arguments_cmd] |
|
arguments.policy |
principal.labels[arguments_policy] (deprecated) |
|
arguments.policy |
additional.fields[arguments_policy] |
|
arguments.length |
principal.labels[arguments_length] (deprecated) |
|
arguments.length |
additional.fields[arguments_length] |
|
_event_score |
security_result.severity_details |
|
architecture |
principal.asset.hardware.cpu_model |
|
arguments.addr |
principal.labels[arguments_addr] (deprecated) |
|
arguments.addr |
additional.fields[arguments_addr] |
|
arguments.am_failure |
principal.labels[arguments_am_failure] (deprecated) |
|
arguments.am_failure |
additional.fields[arguments_am_failure] |
|
arguments.am_success |
principal.labels[arguments_am_success] (deprecated) |
|
arguments.am_success |
additional.fields[arguments_am_success] |
|
arguments.authenticated_as_test |
principal.labels[arguments_authenticated_as_test] (deprecated) |
|
arguments.authenticated_as_test |
additional.fields[arguments_authenticated_as_test] |
|
arguments.child_PID |
principal.labels[arguments_child_PID] (deprecated) |
|
arguments.child_PID |
additional.fields[arguments_child_PID] |
|
arguments.data |
principal.labels[arguments_data] (deprecated) |
|
arguments.data |
additional.fields[arguments_data] |
|
arguments.domain |
principal.labels[arguments_domain] (deprecated) |
|
arguments.domain |
additional.fields[arguments_domain] |
|
arguments.fd |
principal.labels[arguments_fd] (deprecated) |
|
arguments.fd |
additional.fields[arguments_fd] |
|
arguments.flags |
principal.labels[arguments_flags] (deprecated) |
|
arguments.flags |
additional.fields[arguments_flags] |
|
arguments.authenticated_as_allen.golbig |
principal.labels[authenticated_as_allen_golbig] (deprecated) |
|
arguments.authenticated_as_allen.golbig |
additional.fields[authenticated_as_allen_golbig] |
|
arguments.known_UID_ |
principal.labels[argument_known_uid] (deprecated) |
|
arguments.known_UID_ |
additional.fields[argument_known_uid] |
|
arguments.pid |
principal.labels[arguments_pid] (deprecated) |
|
arguments.pid |
additional.fields[arguments_pid] |
|
arguments.port |
principal.labels[arguments_port] (deprecated) |
|
arguments.port |
additional.fields[arguments_port] |
|
arguments.priority |
security_result.priority_details |
|
arguments.process |
principal.labels[argument_process] (deprecated) |
|
arguments.process |
additional.fields[argument_process] |
|
arguments.protocol |
principal.labels[argument_protocol] (deprecated) |
|
arguments.protocol |
additional.fields[argument_protocol] |
|
arguments.request |
principal.labels[argument_request] (deprecated) |
|
arguments.request |
additional.fields[argument_request] |
|
arguments.sflags |
principal.labels[arguments_sflags] (deprecated) |
|
arguments.sflags |
additional.fields[arguments_sflags] |
|
arguments.signal |
principal.labels[argument_signal] (deprecated) |
|
arguments.signal |
additional.fields[argument_signal] |
|
arguments.target_port,process.terminal_id.port,socket_inet.port |
target.port |
If the header.event_name log field value is equal to AUE_KILL or AUE_TASKFORPID, then the process.port log field is mapped to the target.port UDM field.Else, if the header.event_name log field value is equal to AUE_BIND or AUE_CONNECT, then the socket_inet.port log field is mapped to the target.port UDM field. Else, the agument.target_port log field is mapped to the target.port UDM field. |
arguments.task_port |
principal.labels[task_port] (deprecated) |
|
arguments.task_port |
additional.fields[task_port] |
|
arguments.type |
principal.labels[argument_type] (deprecated) |
|
arguments.type |
additional.fields[argument_type] |
|
arguments.which |
principal.labels[which] (deprecated) |
|
arguments.which |
additional.fields[which] |
|
arguments.who |
principal.labels[who] (deprecated) |
|
arguments.who |
additional.fields[who] |
|
bios_firmware_versions.booter-version |
principal.asset.attribute.labels[booter_version] |
|
bios_firmware_versions.firmware-features |
principal.asset.attribute.labels[firmware_features] |
|
bios_firmware_versions.firmware-version |
principal.asset.attribute.labels[firmware_version] |
|
bios_firmware_versions.release-date |
principal.asset.attribute.labels[release_date] |
|
bios_firmware_versions.rom-size |
principal.asset.attribute.labels[rom_size] |
|
bios_firmware_versions.system-firmware-version |
principal.asset.attribute.labels[system_firmware_version] |
|
bios_firmware_versions.vendor |
principal.asset.attribute.labels[vendor] |
|
bios_firmware_versions.version |
principal.asset.attribute.labels[version] |
|
exec_args.args_compiled |
principal.process.command_line |
|
exec_chain_parent.uuid |
principal.labels[parent_uuid] (deprecated) |
|
exec_chain_parent.uuid |
additional.fields[parent_uuid] |
|
exec_env.env_compiled |
about.labels[env_compiled] (deprecated) |
|
exec_env.env_compiled |
additional.fields[env_compiled] |
|
exec_env.env.PATH |
about.labels[env_path] (deprecated) |
|
exec_env.env.PATH |
additional.fields[env_path] |
|
exit.return_value |
principal.labels[return_value] (deprecated) |
|
exit.return_value |
additional.fields[return_value] |
|
exit.status |
principal.labels[exit_status] (deprecated) |
|
exit.status |
additional.fields[exit_status] |
|
process.audit_id |
about.labels[process_audit_id] (deprecated) |
|
process.audit_id |
additional.fields[process_audit_id] |
|
process.audit_user_name |
about.labels[audit_user_name] (deprecated) |
|
process.audit_user_name |
additional.fields[audit_user_name] |
|
process.group_idprocess.effective_group_id |
about.user.group_identifiers |
|
process.group_name |
about.group.group_display_name |
|
process.process_hash |
target.process.file.sha1 |
|
process.process_id |
target.process.pid |
|
process.process_name |
target.process.file.full_path |
|
process.session_id |
target.labels[process_session_id] (deprecated) |
|
process.session_id |
additional.fields[process_session_id] |
|
process.terminal_id.addr |
target.labels[addr] |
|
process.terminal_id.ip_address |
target.ip |
|
process.terminal_id.type |
target.labels[process_terminal_id_type] (deprecated) |
If the process.terminal_id.type log field value is equal to 4, then the target.labels.key UDM field is set to process_terminal_id_type and the target.labels.value UDM field is set to 4-IPv4.Else, if the subject.terminal_id.type log field value is equal to 6, then the target.labels.key UDM field is set to process_terminal_id_type and the target.labels.value UDM field is set to 6-IPv6. Else, the target.labels.key UDM field is set to process_terminal_id_type and the process.terminal_id.type log field is mapped to the target.labels.value UDM field. |
process.terminal_id.type |
additional.fields[process_terminal_id_type] |
If the process.terminal_id.type log field value is equal to 4, then the additional.fields.key UDM field is set to process_terminal_id_type and the additional.fields.value.string_value UDM field is set to 4-IPv4.Else, if the subject.terminal_id.type log field value is equal to 6, then the additional.fields.key UDM field is set to process_terminal_id_type and the additional.fields.value.string_value UDM field is set to 6-IPv6. Else, the additional.fields.key UDM field is set to process_terminal_id_type and the process.terminal_id.type log field is mapped to the additional.fields.value.string_value UDM field. |
process.user_id |
about.user.userid |
|
process.user_name |
about.user.user_display_name |
|
rateLimitingSeconds |
about.labels[rate_limiting_seconds] (deprecated) |
|
rateLimitingSeconds |
additional.fields[rate_limiting_seconds] |
|
socket_inet.family |
target.labels[socket_inet_family] (deprecated) |
|
socket_inet.family |
additional.fields[socket_inet_family] |
|
socket_inet.id |
target.labels[socket_inet_id] (deprecated) |
If the socket_inet.id log field value is equal to 128, then the target.labels.key UDM field is set to socket_inet_id and the target.labels.value UDM field is set to 128-IPv4.Else, if the socket_inet.id log field value is equal to 129, then the target.labels.key UDM field is set to socket_inet_id and the target.labels.value UDM field is set to 129-IPv6. Else, the target.labels.key UDM field is set to socket_inet_id and the socket_inet.ip log field is mapped to the target.labels.value UDM field. |
socket_inet.id |
additional.fields[socket_inet_id] |
If the socket_inet.id log field value is equal to 128, then the additional.fields.key UDM field is set to socket_inet_id and the additional.fields.value.string_value UDM field is set to 128-IPv4.Else, if the socket_inet.id log field value is equal to 129, then the additional.fields.key UDM field is set to socket_inet_id and the additional.fields.value.string_value UDM field is set to 129-IPv6. Else, the additional.fields.key UDM field is set to socket_inet_id and the socket_inet.ip log field is mapped to the additional.fields.value.string_value UDM field. |
socket_inet.ip_address |
target.ip |
|
socket_unix.family |
target.labels[socket_unix_family] (deprecated) |
|
socket_unix.family |
additional.fields[socket_unix_family] |
|
socket_unix.path |
target.file.full_path |
|
subject.terminal_id.addr |
target.labels[addr] |
|
metrics.hw_model |
principal.asset.hardware.model |
|
metrics.tasks.bytes_received |
network.received_bytes |
If the index value is equal to 0, then the metrics.tasks.bytes_received log field is mapped to the network.received_bytes UDM field.Else, the metrics.tasks.bytes_received log field is mapped to the principal.asset.attribute.labels.value UDM field. |
metrics.tasks.bytes_received_per_s |
principal.asset.attribute.labels[bytes_received_per_s] |
|
metrics.tasks.bytes_sent |
network.sent_bytes |
If the index value is equal to 0, then the metrics.tasks.bytes_sent log field is mapped to the network.sent_bytes UDM field.Else, the metrics.tasks.bytes_sent log field is mapped to the principal.asset.attribute.labels.value UDM field. |
metrics.tasks.bytes_sent_per_s |
principal.asset.attribute.labels[bytes_sent_per_s] |
|
metrics.tasks.cputime_ms_per_s |
principal.asset.attribute.labels[cputime_ms_per_s] |
|
metrics.tasks.cputime_ns |
principal.asset.attribute.labels[cputime_ns] |
|
metrics.tasks.cputime_sample_ms_per_s |
principal.asset.attribute.labels[cputime_sample_ms_per_s] |
|
metrics.tasks.cputime_userland_ratio |
principal.asset.attribute.labels[cputime_userland_ratio] |
|
metrics.tasks.diskio_bytesread |
principal.asset.attribute.labels[diskio_bytesread] |
|
metrics.tasks.diskio_bytesread_per_s |
principal.asset.attribute.labels[diskio_bytesread_per_s] |
|
metrics.tasks.diskio_byteswritten |
principal.asset.attribute.labels[diskio_byteswritten] |
|
metrics.tasks.diskio_byteswritten_per_s |
principal.asset.attribute.labels[diskio_byteswritten_per_s] |
|
metrics.tasks.energy_impact |
principal.asset.attribute.labels[energy_impact] |
|
metrics.tasks.energy_impact_per_s |
principal.asset.attribute.labels[energy_impact_per_s] |
|
metrics.tasks.idle_wakeups |
principal.asset.attribute.labels[idle_wakeups] |
|
metrics.tasks.interval_ns |
principal.asset.attribute.labels[interval_ns] |
|
metrics.tasks.intr_wakeups_per_s |
principal.asset.attribute.labels[intr_wakeups_per_s] |
|
metrics.tasks.name |
principal.asset.attribute.labels[name] |
|
metrics.tasks.packets_received |
network.received_packets |
If the index value is equal to 0, then the metrics.tasks.packets_received log field is mapped to the network.received_packets UDM field.Else, the metrics.tasks.packets_received log field is mapped to the principal.asset.attribute.labels.value UDM field. |
metrics.tasks.packets_received_per_s |
principal.asset.attribute.labels[packets_received_per_s] |
|
metrics.tasks.packets_sent |
network.sent_packets |
If the index value is equal to 0, then the metrics.tasks.packets_sent log field is mapped to the network.sent_packets UDM field.Else, the metrics.tasks.packets_sent log field is mapped to the principal.asset.attribute.labels.value UDM field. |
metrics.tasks.packets_sent_per_s |
principal.asset.attribute.labels[packets_sent_per_s] |
|
metrics.tasks.pageins |
principal.asset.attribute.labels[pageins] |
|
metrics.tasks.pageins_per_s |
principal.asset.attribute.labels[pageins_per_s] |
|
metrics.tasks.qos_background_ms_per_s |
principal.asset.attribute.labels[qos_background_ms_per_s] |
|
metrics.tasks.qos_background_ns |
principal.asset.attribute.labels[qos_background_ns] |
|
metrics.tasks.qos_default_ms_per_s |
principal.asset.attribute.labels[qos_default_ms_per_s] |
|
metrics.tasks.qos_default_ns |
principal.asset.attribute.labels[qos_default_ns] |
|
metrics.tasks.qos_disabled_ms_per_s |
principal.asset.attribute.labels[qos_disabled_ms_per_s] |
|
metrics.tasks.qos_disabled_ns |
principal.asset.attribute.labels[qos_disabled_ns] |
|
metrics.tasks.qos_maintenance_ms_per_s |
principal.asset.attribute.labels[qos_maintenance_ms_per_s] |
|
metrics.tasks.qos_maintenance_ns |
principal.asset.attribute.labels[qos_maintenance_ns] |
|
metrics.tasks.qos_user_initiated_ms_per_s |
principal.asset.attribute.labels[qos_user_initiated_ms_per_s] |
|
metrics.tasks.qos_user_initiated_ns |
principal.asset.attribute.labels[qos_user_initiated_ns] |
|
metrics.tasks.qos_user_interactive_ms_per_s |
principal.asset.attribute.labels[qos_user_interactive_ms_per_s] |
|
metrics.tasks.qos_user_interactive_ns |
principal.asset.attribute.labels[qos_user_interactive_ns] |
|
metrics.tasks.qos_utility_ms_per_s |
principal.asset.attribute.labels[qos_utility_ms_per_s] |
|
metrics.tasks.qos_utility_ns |
principal.asset.attribute.labels[qos_utility_ns] |
|
metrics.tasks.started_abstime_ns |
principal.asset.attribute.labels[started_abstime_ns] |
|
metrics.tasks.timer_wakeups.wakeups |
principal.asset.attribute.labels[timer_wakeups] |
|
page_info.page |
about.labels[page_info_page] (deprecated) |
|
page_info.page |
additional.fields[page_info_page] |
|
page_info.total |
about.labels[page_info_total] (deprecated) |
|
page_info.total |
additional.fields[page_info_total] |
|
exec_env.env._ |
about.labels[env] (deprecated) |
|
exec_env.env._ |
additional.fields[env] |
|
exec_env.env.__CF_USER_TEXT_ENCODING |
about.labels[env__CF_USER_TEXT_ENCODING] (deprecated) |
|
exec_env.env.__CF_USER_TEXT_ENCODING |
additional.fields[env__CF_USER_TEXT_ENCODING] |
|
exec_env.env.__CFBundleIdentifier |
about.labels[env__CFBundleIdentifier] (deprecated) |
|
exec_env.env.__CFBundleIdentifier |
additional.fields[env__CFBundleIdentifier] |
|
exec_env.env.ASDF_DIR |
about.labels[env_ASDF_DIR] (deprecated) |
|
exec_env.env.ASDF_DIR |
additional.fields[env_ASDF_DIR] |
|
exec_env.env.HOME |
about.labels[env_HOME] (deprecated) |
|
exec_env.env.HOME |
additional.fields[env_HOME] |
|
exec_env.env.LANG |
about.labels[env_LANG] (deprecated) |
|
exec_env.env.LANG |
additional.fields[env_LANG] |
|
exec_env.env.LC_TERMINAL |
about.labels[env_LC_TERMINAL] (deprecated) |
|
exec_env.env.LC_TERMINAL |
additional.fields[env_LC_TERMINAL] |
|
exec_env.env.LC_TERMINAL_VERSION |
about.labels[env_LC_TERMINAL_VERSION] (deprecated) |
|
exec_env.env.LC_TERMINAL_VERSION |
additional.fields[env_LC_TERMINAL_VERSION] |
|
exec_env.env.MAIL |
about.labels[env_MAIL] (deprecated) |
|
exec_env.env.MAIL |
additional.fields[env_MAIL] |
|
exec_env.env.MallocSpaceEfficient |
about.labels[env_MallocSpaceEfficient] (deprecated) |
|
exec_env.env.MallocSpaceEfficient |
additional.fields[env_MallocSpaceEfficient] |
|
exec_env.env.OLDPWD |
about.labels[env_OLDPWD] (deprecated) |
|
exec_env.env.OLDPWD |
additional.fields[env_OLDPWD] |
|
exec_env.env.PWD |
about.file.full_path |
|
exec_env.env.SHELL |
about.labels[env_SHELL] (deprecated) |
|
exec_env.env.SHELL |
additional.fields[env_SHELL] |
|
exec_env.env.SHLVL |
about.labels[env_SHLVL] (deprecated) |
|
exec_env.env.SHLVL |
additional.fields[env_SHLVL] |
|
exec_env.env.SSH_AUTH_SOCK |
about.labels[env_SSH_AUTH_SOCK] (deprecated) |
|
exec_env.env.SSH_AUTH_SOCK |
additional.fields[env_SSH_AUTH_SOCK] |
|
exec_env.env.SSH_CLIENT |
about.labels[env_SSH_CLIENT] (deprecated) |
|
exec_env.env.SSH_CLIENT |
additional.fields[env_SSH_CLIENT] |
|
exec_env.env.SSH_CONNECTION |
about.labels[env_SSH_CONNECTION] (deprecated) |
|
exec_env.env.SSH_CONNECTION |
additional.fields[env_SSH_CONNECTION] |
|
exec_env.env.SSH_TTY |
about.labels[env_SSH_TTY] (deprecated) |
|
exec_env.env.SSH_TTY |
additional.fields[env_SSH_TTY] |
|
exec_env.env.SUDO_COMMAND |
about.labels[env_SUDO_COMMAND] (deprecated) |
|
exec_env.env.SUDO_COMMAND |
additional.fields[env_SUDO_COMMAND] |
|
exec_env.env.SUDO_GID |
about.user.group_identifiers |
|
exec_env.env.SUDO_UID |
about.user.userid |
|
exec_env.env.SUDO_USER |
about.user.user_display_name |
|
exec_env.env.TERM |
about.labels[env_TERM] (deprecated) |
|
exec_env.env.TERM |
additional.fields[env_TERM] |
|
exec_env.env.LOGNAME |
about.labels[env_LOGNAME] (deprecated) |
|
exec_env.env.LOGNAME |
additional.fields[env_LOGNAME] |
|
exec_env.env.USER |
about.labels[env_USER] (deprecated) |
|
exec_env.env.USER |
additional.fields[env_USER] |
|
exec_env.env.TERM_PROGRAM |
about.labels[env_TERM_PROGRAM] (deprecated) |
|
exec_env.env.TERM_PROGRAM |
additional.fields[env_TERM_PROGRAM] |
|
exec_env.env.TERM_PROGRAM_VERSION |
about.labels[env_TERM_PROGRAM_VERSION] (deprecated) |
|
exec_env.env.TERM_PROGRAM_VERSION |
additional.fields[env_TERM_PROGRAM_VERSION] |
|
exec_env.env.TERM_SESSION_ID |
about.labels[env_TERM_SESSION_ID] (deprecated) |
|
exec_env.env.TERM_SESSION_ID |
additional.fields[env_TERM_SESSION_ID] |
|
exec_env.env.TMPDIR |
about.labels[env_TMPDIR] (deprecated) |
|
exec_env.env.TMPDIR |
additional.fields[env_TMPDIR] |
|
exec_env.env.XPC_FLAGS |
about.labels[env_XPC_FLAGS] (deprecated) |
|
exec_env.env.XPC_FLAGS |
additional.fields[env_XPC_FLAGS] |
|
exec_env.env.XPC_SERVICE_NAME |
about.labels[env_XPC_SERVICE_NAME] (deprecated) |
|
exec_env.env.XPC_SERVICE_NAME |
additional.fields[env_XPC_SERVICE_NAME] |
|
|
target.resource.resource_type |
If the header.event_name log field value is equal to AUE_GETAUID, then the target.resource.resource_type UDM field is set to TASK.Else, if the header.event_name log field value is equal to AUE_SETPRIORITY or AUE_SETTIMEOFDAY, then the target.resource.resource_type UDM field is set to SETTING. |
|
extensions.auth.mechanism |
If the header.event_name log field value contains one of the following values, then the mechanism UDM field is set to USERNAME_PASSWORD:
|
后续步骤
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。