收集 Jamf Protect 遙測記錄

支援的國家/地區:

本文說明如何設定 Google Security Operations 資訊提供,收集 Jamf Protect Telemetry 記錄,以及如何將記錄欄位對應至 Google Security Operations Unified Data Model (UDM) 欄位。本文也列出支援的 Jamf Protect Telemetry 版本。

詳情請參閱「將資料擷取至 Google Security Operations」。

一般部署作業包含 Jamf Protect 遙測和 Google Security Operations 資訊動態饋給,後者會設定為將記錄傳送至 Google Security Operations。每個客戶的部署作業可能有所不同,也可能更複雜。

部署作業包含下列元件:

  • Jamf Protect 遙測。您要從哪個 Jamf Protect Telemetry 平台收集記錄。

  • Google Security Operations 摘要。Google Security Operations 資訊提供,可從 Jamf Protect Telemetry 擷取記錄,並將記錄寫入 Google Security Operations。

  • Google Security Operations。Google Security Operations 會保留及分析 Jamf Protect Telemetry 的記錄。

擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 JAMF_TELEMETRY 攝入標籤的剖析器。

事前準備

請確認您已完成下列事前準備事項:

  • 已設定 Jamf Protect 遙測資料
  • Jamf Protect 4.0.0 以上版本
  • 部署架構中的所有系統都已設定為世界標準時間時區。

設定動態饋給

在 Google SecOps 平台中,有兩種不同的進入點可設定動態饋給:

  • 「SIEM 設定」>「動態消息」
  • 內容中心 > 內容包

依序前往「SIEM 設定」>「動態消息」,設定動態消息

您可以使用 Amazon S3 或 Webhook,在 Google Security Operations 中設定擷取動態饋給,但我們建議使用 Amazon S3。

使用 Amazon S3 在 Google SecOps 中設定擷取動態饋給

如要為這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「依產品設定動態饋給」。

如要設定單一動態饋給,請按照下列步驟操作:

  1. 依序前往「SIEM 設定」>「動態饋給」
  2. 按一下「新增動態消息」
  3. 在下一個頁面中,按一下「設定單一動態饋給」
  4. 在「動態饋給名稱」欄位中,輸入動態饋給的名稱,例如「Jamf Telemetry Logs」
  5. 選取「Amazon S3」做為「來源類型」
  6. 如要建立 Jamf Protect Telemetry 的資訊提供,請選取「Jamf Protect Telemetry」做為「記錄類型」
  7. 點選「下一步」
  8. 儲存動態饋給,然後提交
  9. 從動態饋給名稱複製動態饋給 ID,以便在 Jamf Protect Telemetry 中使用。

使用 Webhook 在 Google SecOps 中設定擷取動態饋給

僅適用於 Google Security Operations Unified 客戶:
如要為這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「設定多個動態饋給」。

所有客戶:
如要設定單一動態饋給,請按照下列步驟操作:

  1. 依序前往「SIEM 設定」>「動態饋給」
  2. 按一下「新增動態消息」
  3. 在下一個頁面中,按一下「設定單一動態饋給」。如果您使用 Google SecOps SIEM 獨立平台,請略過這個步驟。
  4. 在「動態饋給名稱」欄位中,輸入動態饋給的名稱,例如「Jamf Telemetry Logs」
  5. 在「Source type」(來源類型) 清單中,選取「Webhook」(Webhook)
  6. 如要建立 Jamf Protect Telemetry 的資訊提供,請選取「Jamf Protect Telemetry」做為「記錄類型」
  7. 點選「下一步」
  8. 選用:指定下列輸入參數的值:
    • 分割分隔符號:用於分隔記錄行的分隔符號,例如 \n
    • 資產命名空間資產命名空間
    • 擷取標籤:要套用至這個動態饋給事件的標籤。
  9. 點選「下一步」
  10. 在「Finalize」畫面上檢查新的動態饋給設定,然後按一下「Submit」
  11. 按一下「產生密鑰」,產生驗證這個動態消息的密鑰。
  12. 複製並儲存「密鑰」。您無法再次查看這個密鑰。如有需要,您可以重新產生新的密鑰,但這項操作會使先前的密鑰失效。
  13. 在「詳細資料」分頁中,從「端點資訊」欄位複製動態消息端點網址。您需要使用這個 HTTPS 網址設定 Jamf Protect Telemetry 用戶端應用程式。
  14. 按一下 [完成]

從內容中心設定動態饋給

為下列欄位指定值:

  • 區域:Amazon S3 值區所在的區域。
  • S3 URI:bucket URI。
    • s3://your-log-bucket-name/
      • 請將 your-log-bucket-name 替換為 S3 值區的實際名稱。
  • URI 是:根據 bucket 結構,選取「Directory」(目錄) 或「Directory which includes subdirectories」(包含子目錄的目錄)
  • 來源刪除選項:根據擷取偏好設定選取刪除選項。
  • 存取金鑰 ID:具備 S3 值區讀取權限的使用者存取金鑰。

  • 存取密鑰:使用者的存取密鑰,具備從 S3 bucket 讀取的權限。

進階選項

  • 動態饋給名稱:系統預先填入的值,用於識別動態饋給。
  • 來源類型:將記錄收集到 Google SecOps 的方法。
  • 資產命名空間與動態饋給相關聯的命名空間
  • 擷取標籤:套用至這個動態饋給所有事件的標籤。

為 Webhook 動態饋給建立 API 金鑰

  1. 依序前往 Google Cloud 控制台 >「憑證」

    前往「憑證」

  2. 按一下 [Create credentials] (建立憑證),然後選取 [API key] (API 金鑰)

  3. 將 API 金鑰存取權限制在 Google Security Operations API

為 Webhook 饋給設定 Jamf Protect 遙測資料

  1. 在 Jamf Protect Telemetry 應用程式中,前往相關的「Action configuration」(動作設定)
  2. 如要新增資料端點,請按一下「建立動作」
  3. 選取「HTTP」做為通訊協定。
  4. 在「URL」欄位中,輸入 Google Security Operations API 端點的 HTTPS 網址。(這是您從 Webhook 摘要設定複製的「端點資訊」欄位。(已經是所需格式)。
  5. 指定 API 金鑰密鑰,以啟用驗證,格式如下:

    X-goog-api-key = API_KEY
    X-Webhook-Access-Key = SECRET
    

    建議:請將 API 金鑰指定為標頭,而非在網址中指定。如果 Webhook 用戶端不支援自訂標頭,您可以使用查詢參數指定 API 金鑰密鑰,格式如下:

    ENDPOINT_URL?key=API_KEY&secret=SECRET
    

    更改下列內容:

    • ENDPOINT_URL:動態消息端點網址。
    • API_KEY:用於向 Google Security Operations 進行驗證的 API 金鑰。
    • SECRET:您產生的密鑰,用於驗證動態饋給。
  6. 在「收集記錄」部分中,選取「遙測」

  7. 按一下「提交」

如要進一步瞭解 Google Security Operations 動態消息,請參閱 Google Security Operations 動態消息說明文件。如要瞭解各動態饋給類型的規定,請參閱「依類型設定動態饋給」。

如果在建立動態饋給時遇到問題,請與 Google Security Operations 支援團隊聯絡。

支援的 Jamf Protect 遙測記錄類型

Jamf Protect Telemetry 剖析器支援下列記錄類型:

Event Type

  • AUE_add_to_group
  • AUE_AUDITCTL
  • AUE_AUDITON_SPOLICY
  • AUE_AUTH_USER
  • AUE_BIND
  • AUE_BIOS_FIRMWARE_VERSIONS
  • AUE_CHDIR
  • AUE_CHROOT
  • AUE_CONNECT
  • AUE_create_group
  • AUE_delete_group
  • AUE_create_user
  • AUE_delete_user
  • AUE_EXECVE
  • AUE_EXIT
  • AUE_FORK
  • AUE_GETAUID
  • AUE_KILL
  • AUE_LISTEN
  • AUE_LOGOUT
  • AUE_LW_LOGIN
  • AUE_MAC_SET_PROC
  • AUE_modify_group
  • AUE_modify_password
  • AUE_modify_user
  • AUE_MOUNT
  • AUE_openssh
  • AUE_PIDFORTASK
  • AUE_POSIX_SPAWN
  • AUE_REMOVE_FROM_GROUP
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_SESSION_UPDATE
  • AUE_SETPRIORITY
  • AUE_SETSOCKOPT
  • AUE_SETTIMEOFDAY
  • AUE_SHUTDOWN
  • AUE_SOCKETPAIR
  • AUE_SSAUTHINT
  • AUE_SSAUTHMECH
  • AUE_SSAUTHORIZE
  • AUE_TASKFORPID
  • AUE_TASKNAMEFORPID
  • AUE_UNMOUNT
  • AUE_WAIT4
  • PLAINTEXT_LOG_COLLECTION_EVENT
  • SYSTEM_PERFORMANCE_METRICS

支援的 Jamf Protect 遙測記錄格式

Jamf Protect Telemetry 剖析器支援 JSON 格式的記錄。

支援的 Jamf Protect 遙測資料記錄範例

  • JSON

    {
      "exec_chain": {
        "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E"
      },
      "exec_chain_child": {
        "parent_path": "/sbin/launchd",
        "parent_pid": 1,
        "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02"
      },
      "header": {
        "time_seconds_epoch": 1657906179,
        "time_milliseconds_offset": 848,
        "version": 11,
        "event_modifier": 0,
        "event_id": 45018,
        "event_name": "AUE_add_to_group"
      },
      "host_info": {
        "serial_number": "C03WG0H4HDTS",
        "host_name": "Test_MacBook_Pro",
        "osversion": "Version 12.4 (Build 21F79)",
        "host_uuid": "8891C1E2-0AC0-4E4A-844B-EA491B14D115"
      },
      "identity": {
        "signer_id": "dummy.domain.opendirectoryd",
        "team_id_truncated": false,
        "signer_id_truncated": false,
        "cd_hash": "68d22bdec020f20010bfa9d27cd5f69d78427636",
        "team_id": "",
        "signer_type": 1
      },
      "key": "21E48D3B-4965-4072-81BF-83BE04A329C2",
      "return": {
        "error": 0,
        "description": "success",
        "return_value": 0
      },
      "subject": {
        "session_id": 100003,
        "group_id": 20,
        "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice",
        "parent_pid": 1,
        "effective_user_name": "jamf",
        "user_id": 501,
        "group_name": "staff",
        "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02",
        "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E",
        "effective_group_id": 20,
        "process_hash": "507494616e05a5eb909794354fe69f29e432f2a7",
        "audit_id": 501,
        "responsible_process_id": 1391,
        "parent_path": "/sbin/launchd",
        "process_id": 1701,
        "effective_group_name": "staff",
        "audit_user_name": "jamf",
        "effective_user_id": 501,
        "terminal_id": {
          "type": 4,
          "ip_address": "198.51.100.0",
          "port": 4278
        },
        "responsible_process_name": "/System/Applications/System Preferences.app/Contents/MacOS/System Preferences",
        "user_name": "jamf"
      },
      "texts": [
        "Added Groups membership username to '_lpadmin' node '/Local/Default', value = 'baddie'"
      ]
    }
    

欄位對應參考資料

本節說明 Google Security Operations 剖析器如何將 Jamf Protect 遙測欄位對應至 Google Security Operations Unified Data Model (UDM) 欄位。

欄位對應參照:事件 ID 對應至事件類型

下表列出 JAMF_TELEMETRY 記錄類型及其對應的 UDM 事件類型。

Event Identifier Event Type
AUE_add_to_group GROUP_MODIFICATION
AUE_AUDITCTL RESOURCE_READ
AUE_AUDITON_SPOLICY RESOURCE_READ
AUE_AUTH_USER USER_LOGIN
AUE_BIND NETWORK_CONNECTION
AUE_BIOS_FIRMWARE_VERSIONS USER_RESOURCE_ACCESS
AUE_CHDIR USER_RESOURCE_ACCESS
AUE_CHROOT USER_RESOURCE_ACCESS
AUE_CONNECT NETWORK_CONNECTION
AUE_create_group GROUP_CREATION
AUE_delete_group GROUP_DELETION
AUE_create_user USER_CREATION
AUE_delete_user USER_DELETION
AUE_EXECVE PROCESS_LAUNCH
AUE_EXIT PROCESS_TERMINATION
AUE_FORK PROCESS_LAUNCH
AUE_GETAUID SCHEDULED_TASK_CREATION
AUE_KILL PROCESS_TERMINATION
AUE_LISTEN NETWORK_CONNECTION
AUE_LOGOUT USER_LOGOUT
AUE_LW_LOGIN USER_LOGIN
AUE_MAC_SET_PROC PROCESS_UNCATEGORIZED
AUE_modify_group GROUP_MODIFICATION
AUE_modify_password USER_CHANGE_PASSWORD
AUE_modify_user USER_UNCATEGORIZED
AUE_MOUNT RESOURCE_READ
AUE_openssh USER_LOGIN
AUE_PIDFORTASK PROCESS_LAUNCH
AUE_POSIX_SPAWN PROCESS_LAUNCH
AUE_REMOVE_FROM_GROUP GROUP_MODIFICATION
AUE_SESSION_CLOSE USER_LOGOUT
AUE_SESSION_END USER_LOGOUT
AUE_SESSION_START USER_LOGIN
AUE_SESSION_UPDATE USER_UNCATEGORIZED
AUE_SETPRIORITY SETTING_MODIFICATION
AUE_SETSOCKOPT NETWORK_CONNECTION
AUE_SETTIMEOFDAY SETTING_MODIFICATION
AUE_SHUTDOWN STATUS_SHUTDOWN
AUE_SOCKETPAIR NETWORK_CONNECTION
AUE_SSAUTHINT USER_LOGIN
AUE_SSAUTHMECH USER_LOGIN
AUE_SSAUTHORIZE USER_LOGIN
AUE_TASKFORPID PROCESS_INJECTION
AUE_TASKNAMEFORPID PROCESS_INJECTION
AUE_UNMOUNT RESOURCE_READ
AUE_WAIT4 PROCESS_UNCATEGORIZED
PLAINTEXT_LOG_COLLECTION_EVENT GENERIC_EVENT
SYSTEM_PERFORMANCE_METRICS GENERIC_EVENT

欄位對應參考資料:JAMF_TELEMETRY

下表列出 JAMF_TELEMETRY 記錄類型的記錄欄位,以及對應的 UDM 欄位。
Log field UDM mapping Logic
metadata.event_type
metadata.product_name The metadata.product_name UDM field is set to JAMF_TELEMETRY.
metadata.vendor_name The metadata.vendor_name UDM field is set to JAMF.
header.time_seconds_epoch metadata.event_timestamp
header.time_milliseconds_offset about.labels[time_milliseconds_offset] (deprecated)
header.time_milliseconds_offset additional.fields[time_milliseconds_offset]
header.version about.labels[header_version] (deprecated)
header.version additional.fields[header_version]
header.event_modifier about.labels[event_modifier] (deprecated)
header.event_modifier additional.fields[event_modifier]
header.event_uuid metadata.product_log_id
header.event_name,header.event_id metadata.product_event_type If the header.event_name and header.event_id log field values are not empty, then the header.event_name-header.event_id log fields are mapped to the metadata.product_event_type UDM field.

Else, if the header.event_name log field value is not empty, then the header.event_name log field is mapped to the metadata.product_event_type UDM field.

Else, if the header.event_id log field value is not empty, then the header.event_id log field is mapped to the metadata.product_event_type UDM field.
exec_chain.thread_uuid principal.labels[exec_chain_thread_uuid] (deprecated)
exec_chain.thread_uuid additional.fields[exec_chain_thread_uuid]
exec_chain.uuid principal.labels[exec_chain_uuid] (deprecated)
exec_chain.uuid additional.fields[exec_chain_uuid]
exec_chain_child.parent_path principal.process.parent_process.file.full_path
exec_chain_child.parent_pid principal.process.parent_process.pid
exec_chain_child.parent_uuidsubject.parent (deprecated) principal.labels[exec_chain_child_parent_uuid]
exec_chain_child.parent_uuid additional.fields[exec_chain_child_parent_uuid]
host_info.serial_number principal.asset.hardware.serial_number
host_info.host_name principal.hostname
host_info.osversion principal.asset.software.version
host_info.host_uuid principal.asset.product_object_id
host_info.primary_mac_address principal.asset.mac
identity.signer_id principal.labels[identity_signer_id] (deprecated)
identity.signer_id additional.fields[identity_signer_id]
identity.team_id_truncated principal.labels[identity_team_id_truncated] (deprecated)
identity.team_id_truncated additional.fields[identity_team_id_truncated]
identity.signer_id_truncated principal.labels[identity_signer_id_truncated] (deprecated)
identity.signer_id_truncated additional.fields[identity_signer_id_truncated]
identity.cd_hash principal.labels[identity_cd_hash] (deprecated)
identity.cd_hash additional.fields[identity_cd_hash]
identity.team_id principal.labels[team_id] (deprecated)
identity.team_id additional.fields[team_id]
identity.signer_type principal.labels[signer_type] (deprecated)
identity.signer_type additional.fields[signer_type]
key about.labels[key] (deprecated)
key additional.fields[key]
return.error,return.description security_result.description If the return.error and return.description log field values are not empty, then the return.error-return.description log fields are mapped to the security_result.description UDM field.

Else, if the return.error log field value is not empty, then the return.error log field is mapped to the security_result.description UDM field.

Else, if the return.description log field value is not empty, then the return.description log field is mapped to the security_result.description UDM field.
return.return_value security_result.detection_fields
subject.session_id network.session_id
subject.group_id principal.user.group_identifiers If the header.event_name log field value contains one of the following values, then the subject.group_id log field is mapped to the target.user.group_identifiers UDM field:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize

Else, the subject.group_id log field is mapped to the principal.user.group_identifiers UDM field.
subject.effective_group_id target.user.group_identifiers If the header.event_name log field value does not contain one of the following values, then the subject.effective_group_id log field is mapped to the target.user.group_identifiers UDM field:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize
subject.group_name principal.group.group_display_name If the header.event_name log field value contains one of the following values, then the subject.group_name log field is mapped to the target.group.group_display_name UDM field:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize

Else, the subject.group_name log field is mapped to the principal.group.group_display_name UDM field.
subject.effective_group_name target.group.group_display_name If the header.event_name log field value does not contain one of the following values, then the subject.effective_group_name log field is mapped to the target.group.group_display_name UDM field:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize
subject.user_name principal.user.user_display_name If the header.event_name log field value contains one of the following values, then the subject.user_name log field is mapped to the target.user.user_display_name UDM field:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize

Else, the subject.user_name log field is mapped to the principal.user.user_display_name UDM field.
subject.effective_user_name target.user.user_display_name If the header.event_name log field value does not contain one of the following values, then the subject.effective_user_name log field is mapped to the target.user.user_display_name UDM field:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize
subject.user_id principal.user.userid If the header.event_name log field value contains one of the following values, then the subject.user_id log field is mapped to the target.user.userid UDM field:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize

Else, the subject.user_id log field is mapped to the principal.user.userid UDM field.
subject.effective_user_id target.user.userid If the header.event_name log field value does not contain one of the following values, then the subject.effective_user_id log field is mapped to the target.user.userid UDM field:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize
subject.audit_id principal.labels[audit_id] (deprecated)
subject.audit_id additional.fields[audit_id]
subject.responsible_process_id,metrics.tasks.pid principal.process.pid If the header.event_name log field value is equal to SYSTEM_PERFORMANCE_METRICS, then the metrics.tasks.pid log field is mapped to the principal.process.pid UDM field.

Else, the subject.responsible_process_id log field is mapped to the principal.process.pid UDM field.
subject.process_id principal.process_ancestors.pid If the subject.responsible_process_id log field value is not empty, then the subject.process_id log field is mapped to the principal.process_ancestors.pid UDM field.

Else, the subject.process_id log field is mapped to the principal.process.pid UDM field.
subject.audit_user_name principal.labels[audit_user_name] (deprecated)
subject.audit_user_name additional.fields[audit_user_name]
subject.process_name principal.process_ancestors.file.full_path If the subject.responsible_process_name log field value is not empty, then the subject.process_name log field is mapped to the principal.process_ancestors.file.full_path UDM field.

Else, the subject.process_name log field is mapped to the principal.process.file.full_path UDM field.
subject.responsible_process_name principal.process.file.full_path
subject.process_hash principal.process.file.sha1
subject.terminal_id.type principal.labels[type] (deprecated) If the subject.terminal_id.type log field value is equal to 4, then the principal.labels.key UDM field is set to subject_terminal_id_type and the principal.labels.value UDM field is set to 4-IPv4.

Else, if the subject.terminal_id.type log field value is equal to 6, then the principal.labels.key UDM field is set to subject_terminal_id_type and the principal.labels.value UDM field is set to 6-IPv6.

Else, the principal.labels.key UDM field is set to subject_terminal_id_type and the subject.terminal_id.type log field is mapped to the principal.labels.value UDM field.
subject.terminal_id.type additional.fields[type] If the subject.terminal_id.type log field value is equal to 4, then the additional.fields.key UDM field is set to subject_terminal_id_type and the additional.fields.value.string_value UDM field is set to 4-IPv4.

Else, if the subject.terminal_id.type log field value is equal to 6, then the additional.fields.key UDM field is set to subject_terminal_id_type and the additional.fields.value.string_value UDM field is set to 6-IPv6.

Else, the additional.fields.key UDM field is set to subject_terminal_id_type and the subject.terminal_id.type log field is mapped to the additional.fields.value.string_value UDM field.
subject.terminal_id.ip_address principal.ip
subject.terminal_id.port principal.port
texts metadata.description If the index value is equal to 0, then the texts log field is mapped to the metadata.description UDM field.

Else, the texts log field is mapped to the about.labels.value UDM field.
attributes.device principal.asset.attribute.labels[device]
attributes.owner_group_name about.group.group_display_name
attributes.owner_group_id about.user.group_identifiers
attributes.owner_user_id about.user.userid
attributes.owner_user_name about.user.user_display_name
attributes.file_system_id principal.labels[attributes_file_system_id] (deprecated)
attributes.file_system_id additional.fields[attributes_file_system_id]
attributes.file_access_mode principal.labels[attributes_file_access_mode] (deprecated)
attributes.file_access_mode additional.fields[attributes_file_access_mode]
attributes.node_id principal.asset.asset_id
path about.labels[path]
arguments.cmd principal.labels[arguments_cmd] (deprecated)
arguments.cmd additional.fields[arguments_cmd]
arguments.policy principal.labels[arguments_policy] (deprecated)
arguments.policy additional.fields[arguments_policy]
arguments.length principal.labels[arguments_length] (deprecated)
arguments.length additional.fields[arguments_length]
_event_score security_result.severity_details
architecture principal.asset.hardware.cpu_model
arguments.addr principal.labels[arguments_addr] (deprecated)
arguments.addr additional.fields[arguments_addr]
arguments.am_failure principal.labels[arguments_am_failure] (deprecated)
arguments.am_failure additional.fields[arguments_am_failure]
arguments.am_success principal.labels[arguments_am_success] (deprecated)
arguments.am_success additional.fields[arguments_am_success]
arguments.authenticated_as_test principal.labels[arguments_authenticated_as_test] (deprecated)
arguments.authenticated_as_test additional.fields[arguments_authenticated_as_test]
arguments.child_PID principal.labels[arguments_child_PID] (deprecated)
arguments.child_PID additional.fields[arguments_child_PID]
arguments.data principal.labels[arguments_data] (deprecated)
arguments.data additional.fields[arguments_data]
arguments.domain principal.labels[arguments_domain] (deprecated)
arguments.domain additional.fields[arguments_domain]
arguments.fd principal.labels[arguments_fd] (deprecated)
arguments.fd additional.fields[arguments_fd]
arguments.flags principal.labels[arguments_flags] (deprecated)
arguments.flags additional.fields[arguments_flags]
arguments.authenticated_as_allen.golbig principal.labels[authenticated_as_allen_golbig] (deprecated)
arguments.authenticated_as_allen.golbig additional.fields[authenticated_as_allen_golbig]
arguments.known_UID_ principal.labels[argument_known_uid] (deprecated)
arguments.known_UID_ additional.fields[argument_known_uid]
arguments.pid principal.labels[arguments_pid] (deprecated)
arguments.pid additional.fields[arguments_pid]
arguments.port principal.labels[arguments_port] (deprecated)
arguments.port additional.fields[arguments_port]
arguments.priority security_result.priority_details
arguments.process principal.labels[argument_process] (deprecated)
arguments.process additional.fields[argument_process]
arguments.protocol principal.labels[argument_protocol] (deprecated)
arguments.protocol additional.fields[argument_protocol]
arguments.request principal.labels[argument_request] (deprecated)
arguments.request additional.fields[argument_request]
arguments.sflags principal.labels[arguments_sflags] (deprecated)
arguments.sflags additional.fields[arguments_sflags]
arguments.signal principal.labels[argument_signal] (deprecated)
arguments.signal additional.fields[argument_signal]
arguments.target_port,process.terminal_id.port,socket_inet.port target.port If the header.event_name log field value is equal to AUE_KILL or AUE_TASKFORPID, then the process.port log field is mapped to the target.port UDM field.

Else, if the header.event_name log field value is equal to AUE_BIND or AUE_CONNECT, then the socket_inet.port log field is mapped to the target.port UDM field.

Else, the agument.target_port log field is mapped to the target.port UDM field.
arguments.task_port principal.labels[task_port] (deprecated)
arguments.task_port additional.fields[task_port]
arguments.type principal.labels[argument_type] (deprecated)
arguments.type additional.fields[argument_type]
arguments.which principal.labels[which] (deprecated)
arguments.which additional.fields[which]
arguments.who principal.labels[who] (deprecated)
arguments.who additional.fields[who]
bios_firmware_versions.booter-version principal.asset.attribute.labels[booter_version]
bios_firmware_versions.firmware-features principal.asset.attribute.labels[firmware_features]
bios_firmware_versions.firmware-version principal.asset.attribute.labels[firmware_version]
bios_firmware_versions.release-date principal.asset.attribute.labels[release_date]
bios_firmware_versions.rom-size principal.asset.attribute.labels[rom_size]
bios_firmware_versions.system-firmware-version principal.asset.attribute.labels[system_firmware_version]
bios_firmware_versions.vendor principal.asset.attribute.labels[vendor]
bios_firmware_versions.version principal.asset.attribute.labels[version]
exec_args.args_compiled principal.process.command_line
exec_chain_parent.uuid principal.labels[parent_uuid] (deprecated)
exec_chain_parent.uuid additional.fields[parent_uuid]
exec_env.env_compiled about.labels[env_compiled] (deprecated)
exec_env.env_compiled additional.fields[env_compiled]
exec_env.env.PATH about.labels[env_path] (deprecated)
exec_env.env.PATH additional.fields[env_path]
exit.return_value principal.labels[return_value] (deprecated)
exit.return_value additional.fields[return_value]
exit.status principal.labels[exit_status] (deprecated)
exit.status additional.fields[exit_status]
process.audit_id about.labels[process_audit_id] (deprecated)
process.audit_id additional.fields[process_audit_id]
process.audit_user_name about.labels[audit_user_name] (deprecated)
process.audit_user_name additional.fields[audit_user_name]
process.group_idprocess.effective_group_id about.user.group_identifiers
process.group_name about.group.group_display_name
process.process_hash target.process.file.sha1
process.process_id target.process.pid
process.process_name target.process.file.full_path
process.session_id target.labels[process_session_id] (deprecated)
process.session_id additional.fields[process_session_id]
process.terminal_id.addr target.labels[addr]
process.terminal_id.ip_address target.ip
process.terminal_id.type target.labels[process_terminal_id_type] (deprecated) If the process.terminal_id.type log field value is equal to 4, then the target.labels.key UDM field is set to process_terminal_id_type and the target.labels.value UDM field is set to 4-IPv4.

Else, if the subject.terminal_id.type log field value is equal to 6, then the target.labels.key UDM field is set to process_terminal_id_type and the target.labels.value UDM field is set to 6-IPv6.

Else, the target.labels.key UDM field is set to process_terminal_id_type and the process.terminal_id.type log field is mapped to the target.labels.value UDM field.
process.terminal_id.type additional.fields[process_terminal_id_type] If the process.terminal_id.type log field value is equal to 4, then the additional.fields.key UDM field is set to process_terminal_id_type and the additional.fields.value.string_value UDM field is set to 4-IPv4.

Else, if the subject.terminal_id.type log field value is equal to 6, then the additional.fields.key UDM field is set to process_terminal_id_type and the additional.fields.value.string_value UDM field is set to 6-IPv6.

Else, the additional.fields.key UDM field is set to process_terminal_id_type and the process.terminal_id.type log field is mapped to the additional.fields.value.string_value UDM field.
process.user_id about.user.userid
process.user_name about.user.user_display_name
rateLimitingSeconds about.labels[rate_limiting_seconds] (deprecated)
rateLimitingSeconds additional.fields[rate_limiting_seconds]
socket_inet.family target.labels[socket_inet_family] (deprecated)
socket_inet.family additional.fields[socket_inet_family]
socket_inet.id target.labels[socket_inet_id] (deprecated) If the socket_inet.id log field value is equal to 128, then the target.labels.key UDM field is set to socket_inet_id and the target.labels.value UDM field is set to 128-IPv4.

Else, if the socket_inet.id log field value is equal to 129, then the target.labels.key UDM field is set to socket_inet_id and the target.labels.value UDM field is set to 129-IPv6.

Else, the target.labels.key UDM field is set to socket_inet_id and the socket_inet.ip log field is mapped to the target.labels.value UDM field.
socket_inet.id additional.fields[socket_inet_id] If the socket_inet.id log field value is equal to 128, then the additional.fields.key UDM field is set to socket_inet_id and the additional.fields.value.string_value UDM field is set to 128-IPv4.

Else, if the socket_inet.id log field value is equal to 129, then the additional.fields.key UDM field is set to socket_inet_id and the additional.fields.value.string_value UDM field is set to 129-IPv6.

Else, the additional.fields.key UDM field is set to socket_inet_id and the socket_inet.ip log field is mapped to the additional.fields.value.string_value UDM field.
socket_inet.ip_address target.ip
socket_unix.family target.labels[socket_unix_family] (deprecated)
socket_unix.family additional.fields[socket_unix_family]
socket_unix.path target.file.full_path
subject.terminal_id.addr target.labels[addr]
metrics.hw_model principal.asset.hardware.model
metrics.tasks.bytes_received network.received_bytes If the index value is equal to 0, then the metrics.tasks.bytes_received log field is mapped to the network.received_bytes UDM field.

Else, the metrics.tasks.bytes_received log field is mapped to the principal.asset.attribute.labels.value UDM field.
metrics.tasks.bytes_received_per_s principal.asset.attribute.labels[bytes_received_per_s]
metrics.tasks.bytes_sent network.sent_bytes If the index value is equal to 0, then the metrics.tasks.bytes_sent log field is mapped to the network.sent_bytes UDM field.

Else, the metrics.tasks.bytes_sent log field is mapped to the principal.asset.attribute.labels.value UDM field.
metrics.tasks.bytes_sent_per_s principal.asset.attribute.labels[bytes_sent_per_s]
metrics.tasks.cputime_ms_per_s principal.asset.attribute.labels[cputime_ms_per_s]
metrics.tasks.cputime_ns principal.asset.attribute.labels[cputime_ns]
metrics.tasks.cputime_sample_ms_per_s principal.asset.attribute.labels[cputime_sample_ms_per_s]
metrics.tasks.cputime_userland_ratio principal.asset.attribute.labels[cputime_userland_ratio]
metrics.tasks.diskio_bytesread principal.asset.attribute.labels[diskio_bytesread]
metrics.tasks.diskio_bytesread_per_s principal.asset.attribute.labels[diskio_bytesread_per_s]
metrics.tasks.diskio_byteswritten principal.asset.attribute.labels[diskio_byteswritten]
metrics.tasks.diskio_byteswritten_per_s principal.asset.attribute.labels[diskio_byteswritten_per_s]
metrics.tasks.energy_impact principal.asset.attribute.labels[energy_impact]
metrics.tasks.energy_impact_per_s principal.asset.attribute.labels[energy_impact_per_s]
metrics.tasks.idle_wakeups principal.asset.attribute.labels[idle_wakeups]
metrics.tasks.interval_ns principal.asset.attribute.labels[interval_ns]
metrics.tasks.intr_wakeups_per_s principal.asset.attribute.labels[intr_wakeups_per_s]
metrics.tasks.name principal.asset.attribute.labels[name]
metrics.tasks.packets_received network.received_packets If the index value is equal to 0, then the metrics.tasks.packets_received log field is mapped to the network.received_packets UDM field.

Else, the metrics.tasks.packets_received log field is mapped to the principal.asset.attribute.labels.value UDM field.
metrics.tasks.packets_received_per_s principal.asset.attribute.labels[packets_received_per_s]
metrics.tasks.packets_sent network.sent_packets If the index value is equal to 0, then the metrics.tasks.packets_sent log field is mapped to the network.sent_packets UDM field.

Else, the metrics.tasks.packets_sent log field is mapped to the principal.asset.attribute.labels.value UDM field.
metrics.tasks.packets_sent_per_s principal.asset.attribute.labels[packets_sent_per_s]
metrics.tasks.pageins principal.asset.attribute.labels[pageins]
metrics.tasks.pageins_per_s principal.asset.attribute.labels[pageins_per_s]
metrics.tasks.qos_background_ms_per_s principal.asset.attribute.labels[qos_background_ms_per_s]
metrics.tasks.qos_background_ns principal.asset.attribute.labels[qos_background_ns]
metrics.tasks.qos_default_ms_per_s principal.asset.attribute.labels[qos_default_ms_per_s]
metrics.tasks.qos_default_ns principal.asset.attribute.labels[qos_default_ns]
metrics.tasks.qos_disabled_ms_per_s principal.asset.attribute.labels[qos_disabled_ms_per_s]
metrics.tasks.qos_disabled_ns principal.asset.attribute.labels[qos_disabled_ns]
metrics.tasks.qos_maintenance_ms_per_s principal.asset.attribute.labels[qos_maintenance_ms_per_s]
metrics.tasks.qos_maintenance_ns principal.asset.attribute.labels[qos_maintenance_ns]
metrics.tasks.qos_user_initiated_ms_per_s principal.asset.attribute.labels[qos_user_initiated_ms_per_s]
metrics.tasks.qos_user_initiated_ns principal.asset.attribute.labels[qos_user_initiated_ns]
metrics.tasks.qos_user_interactive_ms_per_s principal.asset.attribute.labels[qos_user_interactive_ms_per_s]
metrics.tasks.qos_user_interactive_ns principal.asset.attribute.labels[qos_user_interactive_ns]
metrics.tasks.qos_utility_ms_per_s principal.asset.attribute.labels[qos_utility_ms_per_s]
metrics.tasks.qos_utility_ns principal.asset.attribute.labels[qos_utility_ns]
metrics.tasks.started_abstime_ns principal.asset.attribute.labels[started_abstime_ns]
metrics.tasks.timer_wakeups.wakeups principal.asset.attribute.labels[timer_wakeups]
page_info.page about.labels[page_info_page] (deprecated)
page_info.page additional.fields[page_info_page]
page_info.total about.labels[page_info_total] (deprecated)
page_info.total additional.fields[page_info_total]
exec_env.env._ about.labels[env] (deprecated)
exec_env.env._ additional.fields[env]
exec_env.env.__CF_USER_TEXT_ENCODING about.labels[env__CF_USER_TEXT_ENCODING] (deprecated)
exec_env.env.__CF_USER_TEXT_ENCODING additional.fields[env__CF_USER_TEXT_ENCODING]
exec_env.env.__CFBundleIdentifier about.labels[env__CFBundleIdentifier] (deprecated)
exec_env.env.__CFBundleIdentifier additional.fields[env__CFBundleIdentifier]
exec_env.env.ASDF_DIR about.labels[env_ASDF_DIR] (deprecated)
exec_env.env.ASDF_DIR additional.fields[env_ASDF_DIR]
exec_env.env.HOME about.labels[env_HOME] (deprecated)
exec_env.env.HOME additional.fields[env_HOME]
exec_env.env.LANG about.labels[env_LANG] (deprecated)
exec_env.env.LANG additional.fields[env_LANG]
exec_env.env.LC_TERMINAL about.labels[env_LC_TERMINAL] (deprecated)
exec_env.env.LC_TERMINAL additional.fields[env_LC_TERMINAL]
exec_env.env.LC_TERMINAL_VERSION about.labels[env_LC_TERMINAL_VERSION] (deprecated)
exec_env.env.LC_TERMINAL_VERSION additional.fields[env_LC_TERMINAL_VERSION]
exec_env.env.MAIL about.labels[env_MAIL] (deprecated)
exec_env.env.MAIL additional.fields[env_MAIL]
exec_env.env.MallocSpaceEfficient about.labels[env_MallocSpaceEfficient] (deprecated)
exec_env.env.MallocSpaceEfficient additional.fields[env_MallocSpaceEfficient]
exec_env.env.OLDPWD about.labels[env_OLDPWD] (deprecated)
exec_env.env.OLDPWD additional.fields[env_OLDPWD]
exec_env.env.PWD about.file.full_path
exec_env.env.SHELL about.labels[env_SHELL] (deprecated)
exec_env.env.SHELL additional.fields[env_SHELL]
exec_env.env.SHLVL about.labels[env_SHLVL] (deprecated)
exec_env.env.SHLVL additional.fields[env_SHLVL]
exec_env.env.SSH_AUTH_SOCK about.labels[env_SSH_AUTH_SOCK] (deprecated)
exec_env.env.SSH_AUTH_SOCK additional.fields[env_SSH_AUTH_SOCK]
exec_env.env.SSH_CLIENT about.labels[env_SSH_CLIENT] (deprecated)
exec_env.env.SSH_CLIENT additional.fields[env_SSH_CLIENT]
exec_env.env.SSH_CONNECTION about.labels[env_SSH_CONNECTION] (deprecated)
exec_env.env.SSH_CONNECTION additional.fields[env_SSH_CONNECTION]
exec_env.env.SSH_TTY about.labels[env_SSH_TTY] (deprecated)
exec_env.env.SSH_TTY additional.fields[env_SSH_TTY]
exec_env.env.SUDO_COMMAND about.labels[env_SUDO_COMMAND] (deprecated)
exec_env.env.SUDO_COMMAND additional.fields[env_SUDO_COMMAND]
exec_env.env.SUDO_GID about.user.group_identifiers
exec_env.env.SUDO_UID about.user.userid
exec_env.env.SUDO_USER about.user.user_display_name
exec_env.env.TERM about.labels[env_TERM] (deprecated)
exec_env.env.TERM additional.fields[env_TERM]
exec_env.env.LOGNAME about.labels[env_LOGNAME] (deprecated)
exec_env.env.LOGNAME additional.fields[env_LOGNAME]
exec_env.env.USER about.labels[env_USER] (deprecated)
exec_env.env.USER additional.fields[env_USER]
exec_env.env.TERM_PROGRAM about.labels[env_TERM_PROGRAM] (deprecated)
exec_env.env.TERM_PROGRAM additional.fields[env_TERM_PROGRAM]
exec_env.env.TERM_PROGRAM_VERSION about.labels[env_TERM_PROGRAM_VERSION] (deprecated)
exec_env.env.TERM_PROGRAM_VERSION additional.fields[env_TERM_PROGRAM_VERSION]
exec_env.env.TERM_SESSION_ID about.labels[env_TERM_SESSION_ID] (deprecated)
exec_env.env.TERM_SESSION_ID additional.fields[env_TERM_SESSION_ID]
exec_env.env.TMPDIR about.labels[env_TMPDIR] (deprecated)
exec_env.env.TMPDIR additional.fields[env_TMPDIR]
exec_env.env.XPC_FLAGS about.labels[env_XPC_FLAGS] (deprecated)
exec_env.env.XPC_FLAGS additional.fields[env_XPC_FLAGS]
exec_env.env.XPC_SERVICE_NAME about.labels[env_XPC_SERVICE_NAME] (deprecated)
exec_env.env.XPC_SERVICE_NAME additional.fields[env_XPC_SERVICE_NAME]
target.resource.resource_type If the header.event_name log field value is equal to AUE_GETAUID, then the target.resource.resource_type UDM field is set to TASK.

Else, if the header.event_name log field value is equal to AUE_SETPRIORITY or AUE_SETTIMEOFDAY, then the target.resource.resource_type UDM field is set to SETTING.
extensions.auth.mechanism If the header.event_name log field value contains one of the following values, then the mechanism UDM field is set to USERNAME_PASSWORD:
  • AUE_auth_user
  • AUE_logout
  • AUE_lw_login
  • AUE_openssh
  • AUE_SESSION_CLOSE
  • AUE_SESSION_END
  • AUE_SESSION_START
  • AUE_ssauthint
  • AUE_ssauthmech
  • AUE_ssauthorize

後續步驟

還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。