收集 Jamf Protect 遙測記錄
本文說明如何設定 Google Security Operations 資訊提供,收集 Jamf Protect Telemetry 記錄,以及如何將記錄欄位對應至 Google Security Operations Unified Data Model (UDM) 欄位。本文也列出支援的 Jamf Protect Telemetry 版本。
詳情請參閱「將資料擷取至 Google Security Operations」。
一般部署作業包含 Jamf Protect 遙測和 Google Security Operations 資訊動態饋給,後者會設定為將記錄傳送至 Google Security Operations。每個客戶的部署作業可能有所不同,也可能更複雜。
部署作業包含下列元件:
Jamf Protect 遙測。您要從哪個 Jamf Protect Telemetry 平台收集記錄。
Google Security Operations 摘要。Google Security Operations 資訊提供,可從 Jamf Protect Telemetry 擷取記錄,並將記錄寫入 Google Security Operations。
Google Security Operations。Google Security Operations 會保留及分析 Jamf Protect Telemetry 的記錄。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 JAMF_TELEMETRY
攝入標籤的剖析器。
事前準備
請確認您已完成下列事前準備事項:
- 已設定 Jamf Protect 遙測資料
- Jamf Protect 4.0.0 以上版本
- 部署架構中的所有系統都已設定為世界標準時間時區。
設定動態饋給
在 Google SecOps 平台中,有兩種不同的進入點可設定動態饋給:
- 「SIEM 設定」>「動態消息」
- 內容中心 > 內容包
依序前往「SIEM 設定」>「動態消息」,設定動態消息
您可以使用 Amazon S3 或 Webhook,在 Google Security Operations 中設定擷取動態饋給,但我們建議使用 Amazon S3。
使用 Amazon S3 在 Google SecOps 中設定擷取動態饋給
如要為這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「依產品設定動態饋給」。
如要設定單一動態饋給,請按照下列步驟操作:
- 依序前往「SIEM 設定」>「動態饋給」。
- 按一下「新增動態消息」。
- 在下一個頁面中,按一下「設定單一動態饋給」。
- 在「動態饋給名稱」欄位中,輸入動態饋給的名稱,例如「Jamf Telemetry Logs」。
- 選取「Amazon S3」做為「來源類型」。
- 如要建立 Jamf Protect Telemetry 的資訊提供,請選取「Jamf Protect Telemetry」做為「記錄類型」。
- 點選「下一步」。
- 儲存動態饋給,然後提交。
- 從動態饋給名稱複製動態饋給 ID,以便在 Jamf Protect Telemetry 中使用。
使用 Webhook 在 Google SecOps 中設定擷取動態饋給
僅適用於 Google Security Operations Unified 客戶:
如要為這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「設定多個動態饋給」。
所有客戶:
如要設定單一動態饋給,請按照下列步驟操作:
- 依序前往「SIEM 設定」>「動態饋給」。
- 按一下「新增動態消息」。
- 在下一個頁面中,按一下「設定單一動態饋給」。如果您使用 Google SecOps SIEM 獨立平台,請略過這個步驟。
- 在「動態饋給名稱」欄位中,輸入動態饋給的名稱,例如「Jamf Telemetry Logs」。
- 在「Source type」(來源類型) 清單中,選取「Webhook」(Webhook)。
- 如要建立 Jamf Protect Telemetry 的資訊提供,請選取「Jamf Protect Telemetry」做為「記錄類型」。
- 點選「下一步」。
- 選用:指定下列輸入參數的值:
- 分割分隔符號:用於分隔記錄行的分隔符號,例如
\n
。 - 資產命名空間:資產命名空間。
- 擷取標籤:要套用至這個動態饋給事件的標籤。
- 分割分隔符號:用於分隔記錄行的分隔符號,例如
- 點選「下一步」。
- 在「Finalize」畫面上檢查新的動態饋給設定,然後按一下「Submit」。
- 按一下「產生密鑰」,產生驗證這個動態消息的密鑰。
- 複製並儲存「密鑰」。您無法再次查看這個密鑰。如有需要,您可以重新產生新的密鑰,但這項操作會使先前的密鑰失效。
- 在「詳細資料」分頁中,從「端點資訊」欄位複製動態消息端點網址。您需要使用這個 HTTPS 網址設定 Jamf Protect Telemetry 用戶端應用程式。
- 按一下 [完成]。
從內容中心設定動態饋給
為下列欄位指定值:
- 區域:Amazon S3 值區所在的區域。
- S3 URI:bucket URI。
s3://your-log-bucket-name/
- 請將
your-log-bucket-name
替換為 S3 值區的實際名稱。
- 請將
- URI 是:根據 bucket 結構,選取「Directory」(目錄) 或「Directory which includes subdirectories」(包含子目錄的目錄)。
- 來源刪除選項:根據擷取偏好設定選取刪除選項。
存取金鑰 ID:具備 S3 值區讀取權限的使用者存取金鑰。
存取密鑰:使用者的存取密鑰,具備從 S3 bucket 讀取的權限。
進階選項
- 動態饋給名稱:系統預先填入的值,用於識別動態饋給。
- 來源類型:將記錄收集到 Google SecOps 的方法。
- 資產命名空間:與動態饋給相關聯的命名空間。
- 擷取標籤:套用至這個動態饋給所有事件的標籤。
為 Webhook 動態饋給建立 API 金鑰
依序前往 Google Cloud 控制台 >「憑證」。
按一下 [Create credentials] (建立憑證),然後選取 [API key] (API 金鑰)。
將 API 金鑰存取權限制在 Google Security Operations API。
為 Webhook 饋給設定 Jamf Protect 遙測資料
- 在 Jamf Protect Telemetry 應用程式中,前往相關的「Action configuration」(動作設定)。
- 如要新增資料端點,請按一下「建立動作」。
- 選取「HTTP」做為通訊協定。
- 在「URL」欄位中,輸入 Google Security Operations API 端點的 HTTPS 網址。(這是您從 Webhook 摘要設定複製的「端點資訊」欄位。(已經是所需格式)。
指定 API 金鑰和密鑰,以啟用驗證,格式如下:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRET
建議:請將 API 金鑰指定為標頭,而非在網址中指定。如果 Webhook 用戶端不支援自訂標頭,您可以使用查詢參數指定 API 金鑰和密鑰,格式如下:
ENDPOINT_URL?key=API_KEY&secret=SECRET
更改下列內容:
ENDPOINT_URL
:動態消息端點網址。API_KEY
:用於向 Google Security Operations 進行驗證的 API 金鑰。SECRET
:您產生的密鑰,用於驗證動態饋給。
在「收集記錄」部分中,選取「遙測」。
按一下「提交」。
如要進一步瞭解 Google Security Operations 動態消息,請參閱 Google Security Operations 動態消息說明文件。如要瞭解各動態饋給類型的規定,請參閱「依類型設定動態饋給」。
如果在建立動態饋給時遇到問題,請與 Google Security Operations 支援團隊聯絡。
支援的 Jamf Protect 遙測記錄類型
Jamf Protect Telemetry 剖析器支援下列記錄類型:
Event Type
- AUE_add_to_group
- AUE_AUDITCTL
- AUE_AUDITON_SPOLICY
- AUE_AUTH_USER
- AUE_BIND
- AUE_BIOS_FIRMWARE_VERSIONS
- AUE_CHDIR
- AUE_CHROOT
- AUE_CONNECT
- AUE_create_group
- AUE_delete_group
- AUE_create_user
- AUE_delete_user
- AUE_EXECVE
- AUE_EXIT
- AUE_FORK
- AUE_GETAUID
- AUE_KILL
- AUE_LISTEN
- AUE_LOGOUT
- AUE_LW_LOGIN
- AUE_MAC_SET_PROC
- AUE_modify_group
- AUE_modify_password
- AUE_modify_user
- AUE_MOUNT
- AUE_openssh
- AUE_PIDFORTASK
- AUE_POSIX_SPAWN
- AUE_REMOVE_FROM_GROUP
- AUE_SESSION_CLOSE
- AUE_SESSION_END
- AUE_SESSION_START
- AUE_SESSION_UPDATE
- AUE_SETPRIORITY
- AUE_SETSOCKOPT
- AUE_SETTIMEOFDAY
- AUE_SHUTDOWN
- AUE_SOCKETPAIR
- AUE_SSAUTHINT
- AUE_SSAUTHMECH
- AUE_SSAUTHORIZE
- AUE_TASKFORPID
- AUE_TASKNAMEFORPID
- AUE_UNMOUNT
- AUE_WAIT4
- PLAINTEXT_LOG_COLLECTION_EVENT
- SYSTEM_PERFORMANCE_METRICS
支援的 Jamf Protect 遙測記錄格式
Jamf Protect Telemetry 剖析器支援 JSON 格式的記錄。
支援的 Jamf Protect 遙測資料記錄範例
JSON
{ "exec_chain": { "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E" }, "exec_chain_child": { "parent_path": "/sbin/launchd", "parent_pid": 1, "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02" }, "header": { "time_seconds_epoch": 1657906179, "time_milliseconds_offset": 848, "version": 11, "event_modifier": 0, "event_id": 45018, "event_name": "AUE_add_to_group" }, "host_info": { "serial_number": "C03WG0H4HDTS", "host_name": "Test_MacBook_Pro", "osversion": "Version 12.4 (Build 21F79)", "host_uuid": "8891C1E2-0AC0-4E4A-844B-EA491B14D115" }, "identity": { "signer_id": "dummy.domain.opendirectoryd", "team_id_truncated": false, "signer_id_truncated": false, "cd_hash": "68d22bdec020f20010bfa9d27cd5f69d78427636", "team_id": "", "signer_type": 1 }, "key": "21E48D3B-4965-4072-81BF-83BE04A329C2", "return": { "error": 0, "description": "success", "return_value": 0 }, "subject": { "session_id": 100003, "group_id": 20, "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice", "parent_pid": 1, "effective_user_name": "jamf", "user_id": 501, "group_name": "staff", "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02", "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E", "effective_group_id": 20, "process_hash": "507494616e05a5eb909794354fe69f29e432f2a7", "audit_id": 501, "responsible_process_id": 1391, "parent_path": "/sbin/launchd", "process_id": 1701, "effective_group_name": "staff", "audit_user_name": "jamf", "effective_user_id": 501, "terminal_id": { "type": 4, "ip_address": "198.51.100.0", "port": 4278 }, "responsible_process_name": "/System/Applications/System Preferences.app/Contents/MacOS/System Preferences", "user_name": "jamf" }, "texts": [ "Added Groups membership username to '_lpadmin' node '/Local/Default', value = 'baddie'" ] }
欄位對應參考資料
本節說明 Google Security Operations 剖析器如何將 Jamf Protect 遙測欄位對應至 Google Security Operations Unified Data Model (UDM) 欄位。
欄位對應參照:事件 ID 對應至事件類型
下表列出JAMF_TELEMETRY
記錄類型及其對應的 UDM 事件類型。
Event Identifier | Event Type |
---|---|
AUE_add_to_group |
GROUP_MODIFICATION |
AUE_AUDITCTL |
RESOURCE_READ |
AUE_AUDITON_SPOLICY |
RESOURCE_READ |
AUE_AUTH_USER |
USER_LOGIN |
AUE_BIND |
NETWORK_CONNECTION |
AUE_BIOS_FIRMWARE_VERSIONS |
USER_RESOURCE_ACCESS |
AUE_CHDIR |
USER_RESOURCE_ACCESS |
AUE_CHROOT |
USER_RESOURCE_ACCESS |
AUE_CONNECT |
NETWORK_CONNECTION |
AUE_create_group |
GROUP_CREATION |
AUE_delete_group |
GROUP_DELETION |
AUE_create_user |
USER_CREATION |
AUE_delete_user |
USER_DELETION |
AUE_EXECVE |
PROCESS_LAUNCH |
AUE_EXIT |
PROCESS_TERMINATION |
AUE_FORK |
PROCESS_LAUNCH |
AUE_GETAUID |
SCHEDULED_TASK_CREATION |
AUE_KILL |
PROCESS_TERMINATION |
AUE_LISTEN |
NETWORK_CONNECTION |
AUE_LOGOUT |
USER_LOGOUT |
AUE_LW_LOGIN |
USER_LOGIN |
AUE_MAC_SET_PROC |
PROCESS_UNCATEGORIZED |
AUE_modify_group |
GROUP_MODIFICATION |
AUE_modify_password |
USER_CHANGE_PASSWORD |
AUE_modify_user |
USER_UNCATEGORIZED |
AUE_MOUNT |
RESOURCE_READ |
AUE_openssh |
USER_LOGIN |
AUE_PIDFORTASK |
PROCESS_LAUNCH |
AUE_POSIX_SPAWN |
PROCESS_LAUNCH |
AUE_REMOVE_FROM_GROUP |
GROUP_MODIFICATION |
AUE_SESSION_CLOSE |
USER_LOGOUT |
AUE_SESSION_END |
USER_LOGOUT |
AUE_SESSION_START |
USER_LOGIN |
AUE_SESSION_UPDATE |
USER_UNCATEGORIZED |
AUE_SETPRIORITY |
SETTING_MODIFICATION |
AUE_SETSOCKOPT |
NETWORK_CONNECTION |
AUE_SETTIMEOFDAY |
SETTING_MODIFICATION |
AUE_SHUTDOWN |
STATUS_SHUTDOWN |
AUE_SOCKETPAIR |
NETWORK_CONNECTION |
AUE_SSAUTHINT |
USER_LOGIN |
AUE_SSAUTHMECH |
USER_LOGIN |
AUE_SSAUTHORIZE |
USER_LOGIN |
AUE_TASKFORPID |
PROCESS_INJECTION |
AUE_TASKNAMEFORPID |
PROCESS_INJECTION |
AUE_UNMOUNT |
RESOURCE_READ |
AUE_WAIT4 |
PROCESS_UNCATEGORIZED |
PLAINTEXT_LOG_COLLECTION_EVENT |
GENERIC_EVENT |
SYSTEM_PERFORMANCE_METRICS |
GENERIC_EVENT |
欄位對應參考資料:JAMF_TELEMETRY
下表列出JAMF_TELEMETRY
記錄類型的記錄欄位,以及對應的 UDM 欄位。
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_TELEMETRY . |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF . |
header.time_seconds_epoch |
metadata.event_timestamp |
|
header.time_milliseconds_offset |
about.labels[time_milliseconds_offset] (deprecated) |
|
header.time_milliseconds_offset |
additional.fields[time_milliseconds_offset] |
|
header.version |
about.labels[header_version] (deprecated) |
|
header.version |
additional.fields[header_version] |
|
header.event_modifier |
about.labels[event_modifier] (deprecated) |
|
header.event_modifier |
additional.fields[event_modifier] |
|
header.event_uuid |
metadata.product_log_id |
|
header.event_name,header.event_id |
metadata.product_event_type |
If the header.event_name and header.event_id log field values are not empty, then the header.event_name-header.event_id log fields are mapped to the metadata.product_event_type UDM field.Else, if the header.event_name log field value is not empty, then the header.event_name log field is mapped to the metadata.product_event_type UDM field. Else, if the header.event_id log field value is not empty, then the header.event_id log field is mapped to the metadata.product_event_type UDM field. |
exec_chain.thread_uuid |
principal.labels[exec_chain_thread_uuid] (deprecated) |
|
exec_chain.thread_uuid |
additional.fields[exec_chain_thread_uuid] |
|
exec_chain.uuid |
principal.labels[exec_chain_uuid] (deprecated) |
|
exec_chain.uuid |
additional.fields[exec_chain_uuid] |
|
exec_chain_child.parent_path |
principal.process.parent_process.file.full_path |
|
exec_chain_child.parent_pid |
principal.process.parent_process.pid |
|
exec_chain_child.parent_uuidsubject.parent (deprecated) |
principal.labels[exec_chain_child_parent_uuid] |
|
exec_chain_child.parent_uuid |
additional.fields[exec_chain_child_parent_uuid] |
|
host_info.serial_number |
principal.asset.hardware.serial_number |
|
host_info.host_name |
principal.hostname |
|
host_info.osversion |
principal.asset.software.version |
|
host_info.host_uuid |
principal.asset.product_object_id |
|
host_info.primary_mac_address |
principal.asset.mac |
|
identity.signer_id |
principal.labels[identity_signer_id] (deprecated) |
|
identity.signer_id |
additional.fields[identity_signer_id] |
|
identity.team_id_truncated |
principal.labels[identity_team_id_truncated] (deprecated) |
|
identity.team_id_truncated |
additional.fields[identity_team_id_truncated] |
|
identity.signer_id_truncated |
principal.labels[identity_signer_id_truncated] (deprecated) |
|
identity.signer_id_truncated |
additional.fields[identity_signer_id_truncated] |
|
identity.cd_hash |
principal.labels[identity_cd_hash] (deprecated) |
|
identity.cd_hash |
additional.fields[identity_cd_hash] |
|
identity.team_id |
principal.labels[team_id] (deprecated) |
|
identity.team_id |
additional.fields[team_id] |
|
identity.signer_type |
principal.labels[signer_type] (deprecated) |
|
identity.signer_type |
additional.fields[signer_type] |
|
key |
about.labels[key] (deprecated) |
|
key |
additional.fields[key] |
|
return.error,return.description |
security_result.description |
If the return.error and return.description log field values are not empty, then the return.error-return.description log fields are mapped to the security_result.description UDM field.Else, if the return.error log field value is not empty, then the return.error log field is mapped to the security_result.description UDM field. Else, if the return.description log field value is not empty, then the return.description log field is mapped to the security_result.description UDM field. |
return.return_value |
security_result.detection_fields |
|
subject.session_id |
network.session_id |
|
subject.group_id |
principal.user.group_identifiers |
If the header.event_name log field value contains one of the following values, then the subject.group_id log field is mapped to the target.user.group_identifiers UDM field:
Else, the subject.group_id log field is mapped to the principal.user.group_identifiers UDM field.
|
subject.effective_group_id |
target.user.group_identifiers |
If the header.event_name log field value does not contain one of the following values, then the subject.effective_group_id log field is mapped to the target.user.group_identifiers UDM field:
|
subject.group_name |
principal.group.group_display_name |
If the header.event_name log field value contains one of the following values, then the subject.group_name log field is mapped to the target.group.group_display_name UDM field:
Else, the subject.group_name log field is mapped to the principal.group.group_display_name UDM field.
|
subject.effective_group_name |
target.group.group_display_name |
If the header.event_name log field value does not contain one of the following values, then the subject.effective_group_name log field is mapped to the target.group.group_display_name UDM field:
|
subject.user_name |
principal.user.user_display_name |
If the header.event_name log field value contains one of the following values, then the subject.user_name log field is mapped to the target.user.user_display_name UDM field:
Else, the subject.user_name log field is mapped to the principal.user.user_display_name UDM field.
|
subject.effective_user_name |
target.user.user_display_name |
If the header.event_name log field value does not contain one of the following values, then the subject.effective_user_name log field is mapped to the target.user.user_display_name UDM field:
|
subject.user_id |
principal.user.userid |
If the header.event_name log field value contains one of the following values, then the subject.user_id log field is mapped to the target.user.userid UDM field:
Else, the subject.user_id log field is mapped to the principal.user.userid UDM field.
|
subject.effective_user_id |
target.user.userid |
If the header.event_name log field value does not contain one of the following values, then the subject.effective_user_id log field is mapped to the target.user.userid UDM field:
|
subject.audit_id |
principal.labels[audit_id] (deprecated) |
|
subject.audit_id |
additional.fields[audit_id] |
|
subject.responsible_process_id,metrics.tasks.pid |
principal.process.pid |
If the header.event_name log field value is equal to SYSTEM_PERFORMANCE_METRICS , then the metrics.tasks.pid log field is mapped to the principal.process.pid UDM field. Else, the subject.responsible_process_id log field is mapped to the principal.process.pid UDM field. |
subject.process_id |
principal.process_ancestors.pid |
If the subject.responsible_process_id log field value is not empty, then the subject.process_id log field is mapped to the principal.process_ancestors.pid UDM field. Else, the subject.process_id log field is mapped to the principal.process.pid UDM field. |
subject.audit_user_name |
principal.labels[audit_user_name] (deprecated) |
|
subject.audit_user_name |
additional.fields[audit_user_name] |
|
subject.process_name |
principal.process_ancestors.file.full_path |
If the subject.responsible_process_name log field value is not empty, then the subject.process_name log field is mapped to the principal.process_ancestors.file.full_path UDM field. Else, the subject.process_name log field is mapped to the principal.process.file.full_path UDM field. |
subject.responsible_process_name |
principal.process.file.full_path |
|
subject.process_hash |
principal.process.file.sha1 |
|
subject.terminal_id.type |
principal.labels[type] (deprecated) |
If the subject.terminal_id.type log field value is equal to 4 , then the principal.labels.key UDM field is set to subject_terminal_id_type and the principal.labels.value UDM field is set to 4-IPv4 .Else, if the subject.terminal_id.type log field value is equal to 6 , then the principal.labels.key UDM field is set to subject_terminal_id_type and the principal.labels.value UDM field is set to 6-IPv6 . Else, the principal.labels.key UDM field is set to subject_terminal_id_type and the subject.terminal_id.type log field is mapped to the principal.labels.value UDM field. |
subject.terminal_id.type |
additional.fields[type] |
If the subject.terminal_id.type log field value is equal to 4 , then the additional.fields.key UDM field is set to subject_terminal_id_type and the additional.fields.value.string_value UDM field is set to 4-IPv4 .Else, if the subject.terminal_id.type log field value is equal to 6 , then the additional.fields.key UDM field is set to subject_terminal_id_type and the additional.fields.value.string_value UDM field is set to 6-IPv6 . Else, the additional.fields.key UDM field is set to subject_terminal_id_type and the subject.terminal_id.type log field is mapped to the additional.fields.value.string_value UDM field. |
subject.terminal_id.ip_address |
principal.ip |
|
subject.terminal_id.port |
principal.port |
|
texts |
metadata.description |
If the index value is equal to 0 , then the texts log field is mapped to the metadata.description UDM field.Else, the texts log field is mapped to the about.labels.value UDM field. |
attributes.device |
principal.asset.attribute.labels[device] |
|
attributes.owner_group_name |
about.group.group_display_name |
|
attributes.owner_group_id |
about.user.group_identifiers |
|
attributes.owner_user_id |
about.user.userid |
|
attributes.owner_user_name |
about.user.user_display_name |
|
attributes.file_system_id |
principal.labels[attributes_file_system_id] (deprecated) |
|
attributes.file_system_id |
additional.fields[attributes_file_system_id] |
|
attributes.file_access_mode |
principal.labels[attributes_file_access_mode] (deprecated) |
|
attributes.file_access_mode |
additional.fields[attributes_file_access_mode] |
|
attributes.node_id |
principal.asset.asset_id |
|
path |
about.labels[path] |
|
arguments.cmd |
principal.labels[arguments_cmd] (deprecated) |
|
arguments.cmd |
additional.fields[arguments_cmd] |
|
arguments.policy |
principal.labels[arguments_policy] (deprecated) |
|
arguments.policy |
additional.fields[arguments_policy] |
|
arguments.length |
principal.labels[arguments_length] (deprecated) |
|
arguments.length |
additional.fields[arguments_length] |
|
_event_score |
security_result.severity_details |
|
architecture |
principal.asset.hardware.cpu_model |
|
arguments.addr |
principal.labels[arguments_addr] (deprecated) |
|
arguments.addr |
additional.fields[arguments_addr] |
|
arguments.am_failure |
principal.labels[arguments_am_failure] (deprecated) |
|
arguments.am_failure |
additional.fields[arguments_am_failure] |
|
arguments.am_success |
principal.labels[arguments_am_success] (deprecated) |
|
arguments.am_success |
additional.fields[arguments_am_success] |
|
arguments.authenticated_as_test |
principal.labels[arguments_authenticated_as_test] (deprecated) |
|
arguments.authenticated_as_test |
additional.fields[arguments_authenticated_as_test] |
|
arguments.child_PID |
principal.labels[arguments_child_PID] (deprecated) |
|
arguments.child_PID |
additional.fields[arguments_child_PID] |
|
arguments.data |
principal.labels[arguments_data] (deprecated) |
|
arguments.data |
additional.fields[arguments_data] |
|
arguments.domain |
principal.labels[arguments_domain] (deprecated) |
|
arguments.domain |
additional.fields[arguments_domain] |
|
arguments.fd |
principal.labels[arguments_fd] (deprecated) |
|
arguments.fd |
additional.fields[arguments_fd] |
|
arguments.flags |
principal.labels[arguments_flags] (deprecated) |
|
arguments.flags |
additional.fields[arguments_flags] |
|
arguments.authenticated_as_allen.golbig |
principal.labels[authenticated_as_allen_golbig] (deprecated) |
|
arguments.authenticated_as_allen.golbig |
additional.fields[authenticated_as_allen_golbig] |
|
arguments.known_UID_ |
principal.labels[argument_known_uid] (deprecated) |
|
arguments.known_UID_ |
additional.fields[argument_known_uid] |
|
arguments.pid |
principal.labels[arguments_pid] (deprecated) |
|
arguments.pid |
additional.fields[arguments_pid] |
|
arguments.port |
principal.labels[arguments_port] (deprecated) |
|
arguments.port |
additional.fields[arguments_port] |
|
arguments.priority |
security_result.priority_details |
|
arguments.process |
principal.labels[argument_process] (deprecated) |
|
arguments.process |
additional.fields[argument_process] |
|
arguments.protocol |
principal.labels[argument_protocol] (deprecated) |
|
arguments.protocol |
additional.fields[argument_protocol] |
|
arguments.request |
principal.labels[argument_request] (deprecated) |
|
arguments.request |
additional.fields[argument_request] |
|
arguments.sflags |
principal.labels[arguments_sflags] (deprecated) |
|
arguments.sflags |
additional.fields[arguments_sflags] |
|
arguments.signal |
principal.labels[argument_signal] (deprecated) |
|
arguments.signal |
additional.fields[argument_signal] |
|
arguments.target_port,process.terminal_id.port,socket_inet.port |
target.port |
If the header.event_name log field value is equal to AUE_KILL or AUE_TASKFORPID , then the process.port log field is mapped to the target.port UDM field.Else, if the header.event_name log field value is equal to AUE_BIND or AUE_CONNECT , then the socket_inet.port log field is mapped to the target.port UDM field. Else, the agument.target_port log field is mapped to the target.port UDM field. |
arguments.task_port |
principal.labels[task_port] (deprecated) |
|
arguments.task_port |
additional.fields[task_port] |
|
arguments.type |
principal.labels[argument_type] (deprecated) |
|
arguments.type |
additional.fields[argument_type] |
|
arguments.which |
principal.labels[which] (deprecated) |
|
arguments.which |
additional.fields[which] |
|
arguments.who |
principal.labels[who] (deprecated) |
|
arguments.who |
additional.fields[who] |
|
bios_firmware_versions.booter-version |
principal.asset.attribute.labels[booter_version] |
|
bios_firmware_versions.firmware-features |
principal.asset.attribute.labels[firmware_features] |
|
bios_firmware_versions.firmware-version |
principal.asset.attribute.labels[firmware_version] |
|
bios_firmware_versions.release-date |
principal.asset.attribute.labels[release_date] |
|
bios_firmware_versions.rom-size |
principal.asset.attribute.labels[rom_size] |
|
bios_firmware_versions.system-firmware-version |
principal.asset.attribute.labels[system_firmware_version] |
|
bios_firmware_versions.vendor |
principal.asset.attribute.labels[vendor] |
|
bios_firmware_versions.version |
principal.asset.attribute.labels[version] |
|
exec_args.args_compiled |
principal.process.command_line |
|
exec_chain_parent.uuid |
principal.labels[parent_uuid] (deprecated) |
|
exec_chain_parent.uuid |
additional.fields[parent_uuid] |
|
exec_env.env_compiled |
about.labels[env_compiled] (deprecated) |
|
exec_env.env_compiled |
additional.fields[env_compiled] |
|
exec_env.env.PATH |
about.labels[env_path] (deprecated) |
|
exec_env.env.PATH |
additional.fields[env_path] |
|
exit.return_value |
principal.labels[return_value] (deprecated) |
|
exit.return_value |
additional.fields[return_value] |
|
exit.status |
principal.labels[exit_status] (deprecated) |
|
exit.status |
additional.fields[exit_status] |
|
process.audit_id |
about.labels[process_audit_id] (deprecated) |
|
process.audit_id |
additional.fields[process_audit_id] |
|
process.audit_user_name |
about.labels[audit_user_name] (deprecated) |
|
process.audit_user_name |
additional.fields[audit_user_name] |
|
process.group_idprocess.effective_group_id |
about.user.group_identifiers |
|
process.group_name |
about.group.group_display_name |
|
process.process_hash |
target.process.file.sha1 |
|
process.process_id |
target.process.pid |
|
process.process_name |
target.process.file.full_path |
|
process.session_id |
target.labels[process_session_id] (deprecated) |
|
process.session_id |
additional.fields[process_session_id] |
|
process.terminal_id.addr |
target.labels[addr] |
|
process.terminal_id.ip_address |
target.ip |
|
process.terminal_id.type |
target.labels[process_terminal_id_type] (deprecated) |
If the process.terminal_id.type log field value is equal to 4 , then the target.labels.key UDM field is set to process_terminal_id_type and the target.labels.value UDM field is set to 4-IPv4 .Else, if the subject.terminal_id.type log field value is equal to 6 , then the target.labels.key UDM field is set to process_terminal_id_type and the target.labels.value UDM field is set to 6-IPv6 . Else, the target.labels.key UDM field is set to process_terminal_id_type and the process.terminal_id.type log field is mapped to the target.labels.value UDM field. |
process.terminal_id.type |
additional.fields[process_terminal_id_type] |
If the process.terminal_id.type log field value is equal to 4 , then the additional.fields.key UDM field is set to process_terminal_id_type and the additional.fields.value.string_value UDM field is set to 4-IPv4 .Else, if the subject.terminal_id.type log field value is equal to 6 , then the additional.fields.key UDM field is set to process_terminal_id_type and the additional.fields.value.string_value UDM field is set to 6-IPv6 . Else, the additional.fields.key UDM field is set to process_terminal_id_type and the process.terminal_id.type log field is mapped to the additional.fields.value.string_value UDM field. |
process.user_id |
about.user.userid |
|
process.user_name |
about.user.user_display_name |
|
rateLimitingSeconds |
about.labels[rate_limiting_seconds] (deprecated) |
|
rateLimitingSeconds |
additional.fields[rate_limiting_seconds] |
|
socket_inet.family |
target.labels[socket_inet_family] (deprecated) |
|
socket_inet.family |
additional.fields[socket_inet_family] |
|
socket_inet.id |
target.labels[socket_inet_id] (deprecated) |
If the socket_inet.id log field value is equal to 128 , then the target.labels.key UDM field is set to socket_inet_id and the target.labels.value UDM field is set to 128-IPv4 .Else, if the socket_inet.id log field value is equal to 129 , then the target.labels.key UDM field is set to socket_inet_id and the target.labels.value UDM field is set to 129-IPv6 . Else, the target.labels.key UDM field is set to socket_inet_id and the socket_inet.ip log field is mapped to the target.labels.value UDM field. |
socket_inet.id |
additional.fields[socket_inet_id] |
If the socket_inet.id log field value is equal to 128 , then the additional.fields.key UDM field is set to socket_inet_id and the additional.fields.value.string_value UDM field is set to 128-IPv4 .Else, if the socket_inet.id log field value is equal to 129 , then the additional.fields.key UDM field is set to socket_inet_id and the additional.fields.value.string_value UDM field is set to 129-IPv6 . Else, the additional.fields.key UDM field is set to socket_inet_id and the socket_inet.ip log field is mapped to the additional.fields.value.string_value UDM field. |
socket_inet.ip_address |
target.ip |
|
socket_unix.family |
target.labels[socket_unix_family] (deprecated) |
|
socket_unix.family |
additional.fields[socket_unix_family] |
|
socket_unix.path |
target.file.full_path |
|
subject.terminal_id.addr |
target.labels[addr] |
|
metrics.hw_model |
principal.asset.hardware.model |
|
metrics.tasks.bytes_received |
network.received_bytes |
If the index value is equal to 0 , then the metrics.tasks.bytes_received log field is mapped to the network.received_bytes UDM field.Else, the metrics.tasks.bytes_received log field is mapped to the principal.asset.attribute.labels.value UDM field. |
metrics.tasks.bytes_received_per_s |
principal.asset.attribute.labels[bytes_received_per_s] |
|
metrics.tasks.bytes_sent |
network.sent_bytes |
If the index value is equal to 0 , then the metrics.tasks.bytes_sent log field is mapped to the network.sent_bytes UDM field.Else, the metrics.tasks.bytes_sent log field is mapped to the principal.asset.attribute.labels.value UDM field. |
metrics.tasks.bytes_sent_per_s |
principal.asset.attribute.labels[bytes_sent_per_s] |
|
metrics.tasks.cputime_ms_per_s |
principal.asset.attribute.labels[cputime_ms_per_s] |
|
metrics.tasks.cputime_ns |
principal.asset.attribute.labels[cputime_ns] |
|
metrics.tasks.cputime_sample_ms_per_s |
principal.asset.attribute.labels[cputime_sample_ms_per_s] |
|
metrics.tasks.cputime_userland_ratio |
principal.asset.attribute.labels[cputime_userland_ratio] |
|
metrics.tasks.diskio_bytesread |
principal.asset.attribute.labels[diskio_bytesread] |
|
metrics.tasks.diskio_bytesread_per_s |
principal.asset.attribute.labels[diskio_bytesread_per_s] |
|
metrics.tasks.diskio_byteswritten |
principal.asset.attribute.labels[diskio_byteswritten] |
|
metrics.tasks.diskio_byteswritten_per_s |
principal.asset.attribute.labels[diskio_byteswritten_per_s] |
|
metrics.tasks.energy_impact |
principal.asset.attribute.labels[energy_impact] |
|
metrics.tasks.energy_impact_per_s |
principal.asset.attribute.labels[energy_impact_per_s] |
|
metrics.tasks.idle_wakeups |
principal.asset.attribute.labels[idle_wakeups] |
|
metrics.tasks.interval_ns |
principal.asset.attribute.labels[interval_ns] |
|
metrics.tasks.intr_wakeups_per_s |
principal.asset.attribute.labels[intr_wakeups_per_s] |
|
metrics.tasks.name |
principal.asset.attribute.labels[name] |
|
metrics.tasks.packets_received |
network.received_packets |
If the index value is equal to 0 , then the metrics.tasks.packets_received log field is mapped to the network.received_packets UDM field.Else, the metrics.tasks.packets_received log field is mapped to the principal.asset.attribute.labels.value UDM field. |
metrics.tasks.packets_received_per_s |
principal.asset.attribute.labels[packets_received_per_s] |
|
metrics.tasks.packets_sent |
network.sent_packets |
If the index value is equal to 0 , then the metrics.tasks.packets_sent log field is mapped to the network.sent_packets UDM field.Else, the metrics.tasks.packets_sent log field is mapped to the principal.asset.attribute.labels.value UDM field. |
metrics.tasks.packets_sent_per_s |
principal.asset.attribute.labels[packets_sent_per_s] |
|
metrics.tasks.pageins |
principal.asset.attribute.labels[pageins] |
|
metrics.tasks.pageins_per_s |
principal.asset.attribute.labels[pageins_per_s] |
|
metrics.tasks.qos_background_ms_per_s |
principal.asset.attribute.labels[qos_background_ms_per_s] |
|
metrics.tasks.qos_background_ns |
principal.asset.attribute.labels[qos_background_ns] |
|
metrics.tasks.qos_default_ms_per_s |
principal.asset.attribute.labels[qos_default_ms_per_s] |
|
metrics.tasks.qos_default_ns |
principal.asset.attribute.labels[qos_default_ns] |
|
metrics.tasks.qos_disabled_ms_per_s |
principal.asset.attribute.labels[qos_disabled_ms_per_s] |
|
metrics.tasks.qos_disabled_ns |
principal.asset.attribute.labels[qos_disabled_ns] |
|
metrics.tasks.qos_maintenance_ms_per_s |
principal.asset.attribute.labels[qos_maintenance_ms_per_s] |
|
metrics.tasks.qos_maintenance_ns |
principal.asset.attribute.labels[qos_maintenance_ns] |
|
metrics.tasks.qos_user_initiated_ms_per_s |
principal.asset.attribute.labels[qos_user_initiated_ms_per_s] |
|
metrics.tasks.qos_user_initiated_ns |
principal.asset.attribute.labels[qos_user_initiated_ns] |
|
metrics.tasks.qos_user_interactive_ms_per_s |
principal.asset.attribute.labels[qos_user_interactive_ms_per_s] |
|
metrics.tasks.qos_user_interactive_ns |
principal.asset.attribute.labels[qos_user_interactive_ns] |
|
metrics.tasks.qos_utility_ms_per_s |
principal.asset.attribute.labels[qos_utility_ms_per_s] |
|
metrics.tasks.qos_utility_ns |
principal.asset.attribute.labels[qos_utility_ns] |
|
metrics.tasks.started_abstime_ns |
principal.asset.attribute.labels[started_abstime_ns] |
|
metrics.tasks.timer_wakeups.wakeups |
principal.asset.attribute.labels[timer_wakeups] |
|
page_info.page |
about.labels[page_info_page] (deprecated) |
|
page_info.page |
additional.fields[page_info_page] |
|
page_info.total |
about.labels[page_info_total] (deprecated) |
|
page_info.total |
additional.fields[page_info_total] |
|
exec_env.env._ |
about.labels[env] (deprecated) |
|
exec_env.env._ |
additional.fields[env] |
|
exec_env.env.__CF_USER_TEXT_ENCODING |
about.labels[env__CF_USER_TEXT_ENCODING] (deprecated) |
|
exec_env.env.__CF_USER_TEXT_ENCODING |
additional.fields[env__CF_USER_TEXT_ENCODING] |
|
exec_env.env.__CFBundleIdentifier |
about.labels[env__CFBundleIdentifier] (deprecated) |
|
exec_env.env.__CFBundleIdentifier |
additional.fields[env__CFBundleIdentifier] |
|
exec_env.env.ASDF_DIR |
about.labels[env_ASDF_DIR] (deprecated) |
|
exec_env.env.ASDF_DIR |
additional.fields[env_ASDF_DIR] |
|
exec_env.env.HOME |
about.labels[env_HOME] (deprecated) |
|
exec_env.env.HOME |
additional.fields[env_HOME] |
|
exec_env.env.LANG |
about.labels[env_LANG] (deprecated) |
|
exec_env.env.LANG |
additional.fields[env_LANG] |
|
exec_env.env.LC_TERMINAL |
about.labels[env_LC_TERMINAL] (deprecated) |
|
exec_env.env.LC_TERMINAL |
additional.fields[env_LC_TERMINAL] |
|
exec_env.env.LC_TERMINAL_VERSION |
about.labels[env_LC_TERMINAL_VERSION] (deprecated) |
|
exec_env.env.LC_TERMINAL_VERSION |
additional.fields[env_LC_TERMINAL_VERSION] |
|
exec_env.env.MAIL |
about.labels[env_MAIL] (deprecated) |
|
exec_env.env.MAIL |
additional.fields[env_MAIL] |
|
exec_env.env.MallocSpaceEfficient |
about.labels[env_MallocSpaceEfficient] (deprecated) |
|
exec_env.env.MallocSpaceEfficient |
additional.fields[env_MallocSpaceEfficient] |
|
exec_env.env.OLDPWD |
about.labels[env_OLDPWD] (deprecated) |
|
exec_env.env.OLDPWD |
additional.fields[env_OLDPWD] |
|
exec_env.env.PWD |
about.file.full_path |
|
exec_env.env.SHELL |
about.labels[env_SHELL] (deprecated) |
|
exec_env.env.SHELL |
additional.fields[env_SHELL] |
|
exec_env.env.SHLVL |
about.labels[env_SHLVL] (deprecated) |
|
exec_env.env.SHLVL |
additional.fields[env_SHLVL] |
|
exec_env.env.SSH_AUTH_SOCK |
about.labels[env_SSH_AUTH_SOCK] (deprecated) |
|
exec_env.env.SSH_AUTH_SOCK |
additional.fields[env_SSH_AUTH_SOCK] |
|
exec_env.env.SSH_CLIENT |
about.labels[env_SSH_CLIENT] (deprecated) |
|
exec_env.env.SSH_CLIENT |
additional.fields[env_SSH_CLIENT] |
|
exec_env.env.SSH_CONNECTION |
about.labels[env_SSH_CONNECTION] (deprecated) |
|
exec_env.env.SSH_CONNECTION |
additional.fields[env_SSH_CONNECTION] |
|
exec_env.env.SSH_TTY |
about.labels[env_SSH_TTY] (deprecated) |
|
exec_env.env.SSH_TTY |
additional.fields[env_SSH_TTY] |
|
exec_env.env.SUDO_COMMAND |
about.labels[env_SUDO_COMMAND] (deprecated) |
|
exec_env.env.SUDO_COMMAND |
additional.fields[env_SUDO_COMMAND] |
|
exec_env.env.SUDO_GID |
about.user.group_identifiers |
|
exec_env.env.SUDO_UID |
about.user.userid |
|
exec_env.env.SUDO_USER |
about.user.user_display_name |
|
exec_env.env.TERM |
about.labels[env_TERM] (deprecated) |
|
exec_env.env.TERM |
additional.fields[env_TERM] |
|
exec_env.env.LOGNAME |
about.labels[env_LOGNAME] (deprecated) |
|
exec_env.env.LOGNAME |
additional.fields[env_LOGNAME] |
|
exec_env.env.USER |
about.labels[env_USER] (deprecated) |
|
exec_env.env.USER |
additional.fields[env_USER] |
|
exec_env.env.TERM_PROGRAM |
about.labels[env_TERM_PROGRAM] (deprecated) |
|
exec_env.env.TERM_PROGRAM |
additional.fields[env_TERM_PROGRAM] |
|
exec_env.env.TERM_PROGRAM_VERSION |
about.labels[env_TERM_PROGRAM_VERSION] (deprecated) |
|
exec_env.env.TERM_PROGRAM_VERSION |
additional.fields[env_TERM_PROGRAM_VERSION] |
|
exec_env.env.TERM_SESSION_ID |
about.labels[env_TERM_SESSION_ID] (deprecated) |
|
exec_env.env.TERM_SESSION_ID |
additional.fields[env_TERM_SESSION_ID] |
|
exec_env.env.TMPDIR |
about.labels[env_TMPDIR] (deprecated) |
|
exec_env.env.TMPDIR |
additional.fields[env_TMPDIR] |
|
exec_env.env.XPC_FLAGS |
about.labels[env_XPC_FLAGS] (deprecated) |
|
exec_env.env.XPC_FLAGS |
additional.fields[env_XPC_FLAGS] |
|
exec_env.env.XPC_SERVICE_NAME |
about.labels[env_XPC_SERVICE_NAME] (deprecated) |
|
exec_env.env.XPC_SERVICE_NAME |
additional.fields[env_XPC_SERVICE_NAME] |
|
|
target.resource.resource_type |
If the header.event_name log field value is equal to AUE_GETAUID , then the target.resource.resource_type UDM field is set to TASK .Else, if the header.event_name log field value is equal to AUE_SETPRIORITY or AUE_SETTIMEOFDAY , then the target.resource.resource_type UDM field is set to SETTING . |
|
extensions.auth.mechanism |
If the header.event_name log field value contains one of the following values, then the mechanism UDM field is set to USERNAME_PASSWORD :
|
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。