Collect OCSF logs
Supported in:
This document describes the supported event types for OCSF logs and how log fields map to Google SecOps Unified Data Model (UDM) fields.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the OCSF ingestion label.
Supported OCSF log formats
The OCSF parser supports logs in JSON format.
Supported OCSF Sample Logs
JSON:
{ "activity_id": 1, "activity_name": "Logon", "certificate": { "created_time": 1602175307000, "expiration_time": 1602175307000, "issuer": "dummy", "serial_number": "1234567", "subject": "user", "version": "1" }, "auth_protocol": "NTLM", "auth_protocol_id": 1, "category_name": "Audit Activity", "category_uid": 3, "class_name": "Authentication", "class_uid": 3002, "device": { "hostname": "dummy_hostname", "hw_info": { "bios_manufacturer": "bios_manufacturer", "cpu_cores": 42, "cpu_speed": 4200, "cpu_type": "x86 Family 6 Model 37 Stepping 5", "ram_size": 2048, "serial_number": "serial123" }, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" }, "os": { "name": "Windows", "type": "Windows", "type_id": 100 }, "type": "Unknown", "type_id": 2 }, "dst_endpoint": { "hostname": "dummy_hostname", "domain": "dummy@domain.com", "uid": "123456789", "ip": "198.51.100.4", "intermediate_ips": [ "198.51.100.5", "198.51.100.6" ], "mac": "47-1E-10-E7-2B-D0", "port": 420, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" } }, "actor": { "process": { "created_time": 1538087851000, "parent_process": { "cmd_line": "actor_parent_process_cmd_line" }, "file": { "name": "-", "path": "-", "type": "Regular File", "type_id": 1, "accessed_time": 1538087851000, "created_time": 1538087851000, "modified_time": 1538087851000, "mime_type": "actor_file_type", "size": 45 }, "pid": 0, "cmd_line": "actor_process_cmd_line", "uid": "456" }, "session": { "uid": "0x0" }, "user": { "account_type": "Windows Account", "account_type_id": 2, "domain": "-", "name": "-", "uid": "NULL SID" } }, "logon_type": "Network", "logon_type_id": 3, "message": "An account failed to log on.", "metadata": { "original_time": "10/08/2020 12:41:47 PM", "product": { "feature": { "name": "Security" }, "name": "Microsoft Windows", "vendor_name": "Microsoft" }, "profiles": [ "host" ], "uid": "a738d6e6-4ebd-49bb-805e-45d0604a1bef", "version": "1.0.0-rc.2" }, "severity": "Informational", "severity_id": 1, "src_endpoint": { "hostname": "dummy_hostname", "domain": "dummy@domain.com", "ip": "198.51.100.4", "intermediate_ips": [ "198.51.100.5", "198.51.100.6" ], "mac": "00:1b:63:84:45:e6", "port": 420, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" } }, "status": "0xC000006D", "status_detail": "Unknown user name or bad password.", "status_id": 2, "time": 1602175307000, "type_name": "Authentication: Logon", "type_uid": 300201, "unmapped": { "Detailed Authentication Information": { "Key Length": "0", "Package Name (NTLM only)": "-", "Transited Services": "-" }, "EventCode": "4625", "EventType": "0", "Failure Information": { "Sub Status": "0xC000006A" }, "OpCode": "Info", "RecordNumber": "223742", "SourceName": "Microsoft Windows security auditing.", "TaskCategory": "Logon" }, "user": { "account_type": "Windows Account", "account_type_id": 2, "domain": "dummy.domain.com", "name": "Administrator", "uid": "NULL SID" } }
Field mapping reference
Field mapping reference: Event Identifier to Event Type
The following table lists theOCSF Supported Events log types and their corresponding UDM event types.
| Event Identifier |
|---|
Authentication |
Authorize Session |
Security Finding |
FTP Activity |
Compliance Finding |
Detection Finding |
Incident Finding |
Vulnerability Finding |
Process Activity |
Http Activity |
Network Activity |
Network File Activity |
File Hosting Activity |
API Activity |
DNS Activity |
Field mapping reference: OCSF Authentication
The following table lists the log fields for the Authentication log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the activity_id log field value is equal to 1 then, the metadata.event_type UDM field is set to USER_LOGIN. Else, if activity_id log field value is equal to 2 then, the metadata.event_type UDM field is set to USER_LOGOUT. Else, the metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
api.response.code |
network.http.response_code |
|
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.s service.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. |
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
certificate.created_time |
network.tls.client.certificate.not_before |
|
certificate.expiration_time |
network.tls.client.certificate.not_after |
|
certificate.issuer |
network.tls.client.certificate.issuer |
|
certificate.serial_number |
network.tls.client.certificate.serial |
|
certificate.subject |
network.tls.client.certificate.subject |
|
certificate.version |
network.tls.client.certificate.version |
|
class_name |
metadata.log_type |
|
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
device.uid |
principal.asset.product_object_id |
|
dst_endpoint.domain |
target.domain.name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
|
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
dst_endpoint.svc_name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.s service.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.uid |
target.asset_id |
|
http_request.http_method |
network.http.method |
|
http_request.referrer |
network.http.referral_url |
|
http_request.user_agent |
network.http.user_agent |
|
logon_process.cmd_line |
principal.process.command_line |
If the logon_process.cmd_line log field value is empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the logon_process.cmd_line log field value is empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
logon_process.file.accessed_time |
principal.process.file.last_seen_time |
If the logon_process.file.accessed_time log field value is empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the logon_process.file.accessed_time log field value is empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
logon_process.file.created_time |
principal.process.file.first_seen_time |
If the logon_process.file.created_time log field value is empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the logon_process.file.created_time log field value is empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
logon_process.file.mime_type |
principal.process.file.mime_type |
If the logon_process.file.mime_type log field value is empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the logon_process.file.mime_type log field value is empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
logon_process.file.modified_time |
principal.process.file.last_modification_time |
If the logon_process.file.modified_time log field value is empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the logon_process.file.modified_time log field value is empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
logon_process.file.name |
principal.process.file.names |
If the logon_process.file.name log field value is empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.name |
principal.process.file.names |
If the logon_process.file.name log field value is empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. |
logon_process.file.path |
principal.process.file.full_path |
If the logon_process.file.path log field value is empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the logon_process.file.path log field value is empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
logon_process.file.size |
principal.process.file.size |
If the logon_process.file.size log field value is empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.file.size |
principal.process.file.size |
If the logon_process.file.size log field value is empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. |
logon_process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the logon_process.parent_process.cmd_line log field value is empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the logon_process.parent_process.cmd_line log field value is empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
logon_process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the logon_process.parent_process.file.accessed_time log field value is empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the logon_process.parent_process.file.accessed_time log field value is empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
logon_process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the logon_process.parent_process.file.created_time log field value is empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the logon_process.parent_process.file.created_time log field value is empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
logon_process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the logon_process.parent_process.file.mime_type log field value is empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the logon_process.parent_process.file.mime_type log field value is empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
logon_process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the logon_process.parent_process.file.modified_time log field value is empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the logon_process.parent_process.file.modified_time log field value is empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
logon_process.parent_process.file.name |
principal.process.parent_process.file.names |
If the logon_process.parent_process.file.name log field value is empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the logon_process.parent_process.file.name log field value is empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
logon_process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the logon_process.parent_process.file.path log field value is empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the logon_process.parent_process.file.path log field value is empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
logon_process.parent_process.file.size |
principal.process.parent_process.file.size |
If the logon_process.parent_process.file.size log field value is empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the logon_process.parent_process.file.size log field value is empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
logon_process.parent_process.pid |
principal.process.parent_process.pid |
If the logon_process.parent_process.pid log field value is empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the logon_process.parent_process.pid log field value is empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
logon_process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the logon_process.parent_process.uid log field value is empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the logon_process.parent_process.uid log field value is empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
logon_process.pid |
principal.process.pid |
If the logon_process.pid log field value is empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.pid |
principal.process.pid |
If the logon_process.pid log field value is empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. |
logon_process.uid |
principal.process.product_specific_process_id |
If the logon_process.uid log field value is empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the logon_process.uid log field value is empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
logon_type_id |
extensions.auth.mechanism |
If the logon_type log field value is equal to 0 then, the extensions.auth.mechanism UDM field is set to LOCAL. Else, if logon_type log field value is equal to 2 then, the extensions.auth.mechanism UDM field is set to INTERACTIVE. Else, if logon_type log field value is equal to 3 then, the extensions.auth.mechanism UDM field is set to NETWORK. Else, if logon_type log field value is equal to 4 then, the extensions.auth.mechanism UDM field is set to BATCH. Else, if logon_type log field value is equal to 5 then, the extensions.auth.mechanism UDM field is set to SERVICE. Else, if logon_type log field value is equal to 7 then, the extensions.auth.mechanism UDM field is set to UNLOCK. Else, if logon_type log field value is equal to 8 then, the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT. Else, if logon_type log field value is equal to 9 then, the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS. Else, if logon_type log field value is equal to 10 then, the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE. Else, if logon_type log field value is equal to 11 then, the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE. Else, if logon_type log field value is equal to 12 then, the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE. Else, if logon_type log field value is equal to 13 then, the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK. Else, the extensions.auth.mechanism UDM field is set to MECHANISM_UNSPECIFIED. |
message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
service.name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.s service.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. |
session.uid |
network.session_id |
If the session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. |
actor.session.uid |
network.session_id |
If the session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. |
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
|
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
time |
metadata.event_timestamp |
|
user.domain |
target.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.domain log field is mapped to the target.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.domain log field is mapped to the target.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.domain log field is mapped to the target.administrative_domain UDM field. |
actor.user.domain |
target.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.domain log field is mapped to the target.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.domain log field is mapped to the target.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.domain log field is mapped to the target.administrative_domain UDM field. |
logon_process.user.domain |
target.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.domain log field is mapped to the target.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.domain log field is mapped to the target.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.domain log field is mapped to the target.administrative_domain UDM field. |
user.domain |
principal.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.domain |
principal.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
logon_process.user.domain |
principal.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
user.email_addr |
target.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.email_addr log field is mapped to the target.user.email_addresses UDM field. |
actor.user.email_addr |
target.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.email_addr log field is mapped to the target.user.email_addresses UDM field. |
logon_process.user.email_addr |
target.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.email_addr log field is mapped to the target.user.email_addresses UDM field. |
user.email_addr |
principal.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
logon_process.user.email_addr |
principal.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
user.full_name |
target.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.full_name log field is mapped to the target.user.user_display_name UDM field. |
actor.user.full_name |
target.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.full_name log field is mapped to the target.user.user_display_name UDM field. |
logon_process.user.full_name |
target.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.full_name log field is mapped to the target.user.user_display_name UDM field. |
user.full_name |
principal.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
logon_process.user.full_name |
principal.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.name |
principal.group.group_display_name |
|
logon_process.user.groups.name |
principal.group.group_display_name |
|
user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
logon_process.user.groups.privileges |
principal.group.attribute.permissions.name |
|
user.groups.uid |
principal.user.group_identifiers |
|
actor.user.groups.uid |
principal.user.group_identifiers |
|
logon_process.user.groups.uid |
principal.user.group_identifiers |
|
user.name |
target.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.name log field is mapped to the target.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.name log field is mapped to the target.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.name log field is mapped to the target.user.userid UDM field. |
actor.user.name |
target.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.name log field is mapped to the target.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.name log field is mapped to the target.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.name log field is mapped to the target.user.userid UDM field. |
logon_process.user.name |
target.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.name log field is mapped to the target.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.name log field is mapped to the target.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.name log field is mapped to the target.user.userid UDM field. |
user.name |
principal.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.name |
principal.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.name log field is mapped to the principal.user.userid UDM field. |
logon_process.user.name |
principal.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.name log field is mapped to the principal.user.userid UDM field. |
user.org.name |
target.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.name log field is mapped to the target.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.name log field is mapped to the target.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.name log field is mapped to the target.user.company_name UDM field. |
actor.user.org.name |
target.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.name log field is mapped to the target.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.name log field is mapped to the target.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.name log field is mapped to the target.user.company_name UDM field. |
logon_process.user.org.name |
target.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.name log field is mapped to the target.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.name log field is mapped to the target.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.name log field is mapped to the target.user.company_name UDM field. |
user.org.name |
principal.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.name |
principal.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
logon_process.user.org.name |
principal.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
user.org.ou_name |
target.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.ou_name log field is mapped to the target.user.department UDM field. |
actor.user.org.ou_name |
target.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.ou_name log field is mapped to the target.user.department UDM field. |
logon_process.user.org.ou_name |
target.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.ou_name log field is mapped to the target.user.department UDM field. |
user.org.ou_name |
principal.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
logon_process.user.org.ou_name |
principal.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
user.type_id |
target.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. |
actor.user.type_id |
target.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. |
logon_process.user.type_id |
target.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. |
user.type_id |
principal.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
logon_process.user.type_id |
principal.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
user.uid |
target.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.uid log field is mapped to the target.user.windows_sid UDM field. |
actor.user.uid |
target.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.uid log field is mapped to the target.user.windows_sid UDM field. |
logon_process.user.uid |
target.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.uid log field is mapped to the target.user.windows_sid UDM field. |
user.uid |
principal.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.uid log field is mapped to the principal.user.windows_sid UDM field. |
actor.user.uid |
principal.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.uid log field is mapped to the principal.user.windows_sid UDM field. |
logon_process.user.uid |
principal.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.uid log field is mapped to the principal.user.windows_sid UDM field. |
actor.user.account_uid |
target.user.attribute.labels[actor_user_account_id] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.account_uid log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_uid |
principal.user.attribute.labels[actor_user_account_id] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.account_uid log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.type |
target.user.attribute.labels[actor_user_type] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.type log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.type |
principal.user.attribute.labels[actor_user_type] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.type log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.uuid |
target.user.attribute.labels[actor_user_uuid] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.uuid log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.uuid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.uuid |
principal.user.attribute.labels[actor_user_uuid] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.uuid log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.uuid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_type |
target.user.attribute.labels[actor_user_account_type] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.account_type log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_type |
principal.user.attribute.labels[actor_user_account_type] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.account_type log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_type_id |
target.user.attribute.labels[actor_user_account_type_id] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.account_type_id log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_type_id log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_type_id |
principal.user.attribute.labels[actor_user_account_type_id] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.account_type_id log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_type_id log field is mapped to the principal.user.attribute.labels UDM field. |
actor.process.file.parent_folder |
principal.labels[actor_process_file_parent_folder] |
|
actor.process.file.type |
principal.labels[actor_process_file_type] |
|
actor.process.file.type_id |
principal.labels[actor_process_file_type_id] |
|
api.operation |
about.labels[api_operation] |
|
metadata.product.feature.name |
about.labels[metadata_product_feature_name] |
|
metadata.profiles |
about.labels[metadata_profiles] |
|
metadata.version |
about.labels[metadata_version] |
|
mfa |
about.labels[mfa] |
|
status |
security_result.detection_fields[status] |
|
status_id |
security_result.detection_fields [status_id] |
|
type_name |
about.labels[type_name] |
|
type_uid |
about.labels[type_uid] |
|
actor.process.file.parent_folder |
additional.fields[actor_process_file_parent_folder] |
|
actor.process.file.type |
additional.fields[actor_process_file_type] |
|
actor.process.file.type_id |
additional.fields[actor_process_file_type_id] |
|
api.operation |
additional.fields[api_operation] |
|
metadata.product.feature.name |
additional.fields[metadata_product_feature_name] |
|
metadata.profiles |
additional.fields[metadata_profiles] |
|
metadata.version |
additional.fields[metadata_version] |
|
mfa |
additional.fields[mfa] |
|
type_name |
additional.fields[type_name] |
|
type_uid |
additional.fields[type_uid] |
|
auth_protocol |
additional.fields[auth_protocol] |
|
auth_protocol_id |
additional.fields[auth_protocol_id] |
|
logon_process.name |
additional.fields[logon_process_name] |
|
logon_type |
additional.fields[logon_type] |
|
session.uuid |
additional.fields[session_uuid] |
|
status_detail |
additional.fields[status_detail] |
|
metadata.original_time |
additional.fields[metadata_original_time] |
|
auth_protocol |
about.labels[auth_protocol] |
|
auth_protocol_id |
about.labels[auth_protocol_id] |
|
logon_process.name |
principal.labels[logon_process_name] |
|
logon_type |
principal.labels[logon_type] |
|
session.uuid |
about.labels[session_uuid] |
|
status_detail |
about.labels[status_detail] |
|
metadata.original_time |
about.labels[metadata_original_time] |
|
user.uuid |
target.user.attribute.labels[actor_user_uuid] |
|
user.uuid |
principal.user.attribute.labels[actor_user_uuid] |
|
device.os.name |
principal.asset.attribute.labels[device_os_name] |
|
device.os.type |
principal.asset.attribute.labels[device_os_type] |
|
device.type |
principal.asset.attribute.labels[device_type] |
|
user.account_type |
target.user.attribute.labels[user_account_type] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.account_type log field is mapped to the target.user.attribute.labels UDM field. Else, user.account_type log field is mapped to the principal.user.attribute.labels UDM field. |
user.account_type |
principal.user.attribute.labels[user_account_type] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.account_type log field is mapped to the target.user.attribute.labels UDM field. Else, user.account_type log field is mapped to the principal.user.attribute.labels UDM field. |
user.account_type_id |
target.user.attribute.labels[user_account_type_id] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.account_type_id log field is mapped to the target.user.attribute.labels UDM field. Else, user.account_type_id log field is mapped to the principal.user.attribute.labels UDM field. |
user.account_type_id |
principal.user.attribute.labels[user_account_type_id] |
If the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.account_type_id log field is mapped to the target.user.attribute.labels UDM field. Else, user.account_type_id log field is mapped to the principal.user.attribute.labels UDM field. |
actor.session.uid_alt |
additional.fields[actor_session_uid_alt] |
|
actor.session.count |
additional.fields[actor_session_count] |
|
actor.session.expiration_reason |
additional.fields[actor_session_expiration_reason] |
|
actor.session.is_mfa |
additional.fields[actor_session_is_mfa] |
|
actor.session.terminal |
additional.fields[actor_session_terminal] |
|
actor.session.is_vpn |
additional.fields[actor_session_is_vpn] |
|
certificate.uid |
additional.fields[certificate_uid] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
http_request.length |
additional.fields[http_request_length] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_loggers_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_loggers_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_loggers_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_loggers_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_loggers_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_loggers_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_loggers_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_loggers_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_loggers_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_loggers_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_loggers_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_loggers_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_loggers_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_loggers_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
session.uid_alt |
additional.fields[session_uid_alt] |
|
session.count |
additional.fields[session_count] |
|
session.expiration_reason |
additional.fields[session_expiration_reason] |
|
session.is_mfa |
additional.fields[session_is_mfa] |
|
session.terminal |
additional.fields[session_terminal] |
|
session.is_vpn |
additional.fields[session_is_vpn] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
user.ldap_person.email_addrs |
principal.user.email_addresses |
If the user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, logon_process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, logon_process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
logon_process.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, logon_process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
user.ldap_person.employee_uid |
principal.user.employee_id |
If the user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else,. |
actor.user.ldap_person.employee_uid |
principal.user.employee_id |
If the user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else,. |
logon_process.user.ldap_person.employee_uid |
principal.user.employee_id |
If the user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else,. |
user.ldap_person.given_name |
principal.user.first_name |
If the user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if logon_process.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, logon_process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if logon_process.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, logon_process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
logon_process.user.ldap_person.given_name |
principal.user.first_name |
If the user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if logon_process.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, logon_process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
user.ldap_person.hire_time |
principal.user.hire_date |
If the user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if logon_process.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, logon_process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if logon_process.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, logon_process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
logon_process.user.ldap_person.hire_time |
principal.user.hire_date |
If the user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if logon_process.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, logon_process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
user.ldap_person.job_title |
principal.user.title |
If the user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if logon_process.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, logon_process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if logon_process.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, logon_process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
logon_process.user.ldap_person.job_title |
principal.user.title |
If the user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if logon_process.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, logon_process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
user.ldap_person.last_login_time |
principal.user.last_login_time |
If the user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if logon_process.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, logon_process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if logon_process.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, logon_process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
logon_process.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if logon_process.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, logon_process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
user.ldap_person.office_location |
principal.user.office_address.name |
If the user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if logon_process.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, logon_process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if logon_process.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, logon_process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
logon_process.user.ldap_person.office_location |
principal.user.office_address.name |
If the user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if logon_process.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, logon_process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
user.ldap_person.surname |
principal.user.last_name |
If the user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if logon_process.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, logon_process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if logon_process.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, logon_process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
logon_process.user.ldap_person.surname |
principal.user.last_name |
If the user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if logon_process.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, logon_process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
logon_process.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
logon_process.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
logon_process.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
actor.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
logon_process.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
logon_process.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
logon_process.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
logon_process.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
logon_process.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
logon_process.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if actor.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if logon_process.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if actor.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if logon_process.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
logon_process.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if actor.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if logon_process.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else,. |
actor.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else,. |
logon_process.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, Else,. |
user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if actor.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if logon_process.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, logon_process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if actor.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if logon_process.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, logon_process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
logon_process.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if actor.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if logon_process.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, logon_process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if actor.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if logon_process.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, logon_process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if actor.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if logon_process.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, logon_process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
logon_process.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if actor.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if logon_process.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, logon_process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
user.ldap_person.manager.job_title |
principal.user.managers.title |
If the user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if actor.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if logon_process.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, logon_process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if actor.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if logon_process.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, logon_process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
logon_process.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if actor.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if logon_process.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, logon_process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
user.ldap_person.manager.last_login_time |
principal.user.managers.last_login_time |
If the user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if actor.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, actor.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if logon_process.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.user.ldap_person.manager.last_login_time |
principal.user.managers.last_login_time |
If the user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if actor.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, actor.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if logon_process.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
logon_process.user.ldap_person.manager.last_login_time |
principal.user.managers.last_login_time |
If the user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if actor.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, actor.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if logon_process.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
user.ldap_person.manager.office_location |
principal.user.managers.office_address.name |
If the user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if actor.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, actor.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if logon_process.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, logon_process.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.user.ldap_person.manager.office_location |
principal.user.managers.office_address.name |
If the user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if actor.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, actor.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if logon_process.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, logon_process.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
logon_process.user.ldap_person.manager.office_location |
principal.user.managers.office_address.name |
If the user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if actor.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, actor.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if logon_process.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, logon_process.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if actor.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if logon_process.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, logon_process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if actor.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if logon_process.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, logon_process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
logon_process.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if actor.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if logon_process.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, logon_process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] |
If the user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] |
If the user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
logon_process.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] |
If the user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] |
If the user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] |
If the user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
logon_process.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] |
If the user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] |
If the user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] |
If the user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
logon_process.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] |
If the user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] |
If the user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] |
If the user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
logon_process.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] |
If the user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_manager_ldap_person_labels] |
If the user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
actor.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_manager_ldap_person_labels] |
If the user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
logon_process.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_manager_ldap_person_labels] |
If the user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] |
If the user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] |
If the user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
logon_process.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] |
If the user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] |
If the user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] |
If the user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
logon_process.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] |
If the user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] |
If the user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] |
If the user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
logon_process.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] |
If the user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_manager_ldap_person_location] |
If the user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
actor.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_manager_ldap_person_location] |
If the user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
logon_process.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_manager_ldap_person_location] |
If the user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
user.groups.domain |
principal.user.group_identifiers |
If the user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if logon_process.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.groups.domain |
principal.user.group_identifiers |
If the user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then,iterate through log field user.groups, then user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if logon_process.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
logon_process.user.groups.domain |
principal.user.group_identifiers |
If the user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then,iterate through log field user.groups, then user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if logon_process.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 orthe activity_id log field value is equal to 2 then,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
Field mapping reference: OCSF Authorize Session
The following table lists the log fields for theAuthorize Session log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
message |
metadata.description |
|
time |
metadata.event_timestamp |
|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Authorize Session and if the activity_id log field value is equal to 1 then, the metadata.event_type UDM field is set to USER_CHANGE_PERMISSIONS. Else, if the activity_id log field value is equal to 2 then, the metadata.event_type UDM field is set to GROUP_MODIFICATION. Else, the metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
class_name |
metadata.log_type |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
metadata.uid |
metadata.product_log_id |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.logged_time |
metadata.collected_timestamp |
|
api.response.code |
network.http.response_code |
|
session.uid |
network.session_id |
If the session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. |
actor.session.uid |
network.session_id |
If the session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. |
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.domain |
principal.administrative_domain |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.hostname |
principal.asset.hostname |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.region |
principal.asset.location.name |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.domain |
principal.asset.network_domain |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.uid |
principal.asset.product_object_id |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
|
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.name |
principal.user.company_name |
|
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.user.org.ou_name |
principal.user.department |
|
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
|
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.full_name |
principal.user.user_display_name |
|
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.user.name |
principal.user.userid |
|
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.uid |
principal.user.product_object_id |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
user.domain |
target.administrative_domain |
|
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.svc_name |
target.application |
|
dst_endpoint.uid |
target.asset_id |
|
dst_endpoint.domain |
target.domain.name |
|
group.privileges |
target.group.attribute.permissions.name |
If the user.groups.privileges log field value is empty then, group.privileges log field is mapped to the target.group.attribute.permissions.name UDM field. |
user.groups.privileges |
target.group.attribute.permissions.name |
|
group.name |
target.group.group_display_name |
If the user.groups.name log field value is empty then, group.name log field is mapped to the target.group.group_display_name UDM field. |
user.groups.name |
target.group.group_display_name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.location.coordinates |
target.location.region_coordinates.longitude/latitude |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
privileges |
target.user.attribute.permissions.name |
|
user.type_id |
target.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. |
user.org.name |
target.user.company_name |
|
user.org.ou_name |
target.user.department |
|
user.email_addr |
target.user.email_addresses |
|
group.uid |
target.user.group_identifiers |
If the user.groups.uid log field value is empty then, group.uid log field is mapped to the target.user.group_identifiers UDM field. |
user.groups.uid |
target.user.group_identifiers |
|
user.full_name |
target.user.user_display_name |
|
user.name |
target.user.userid |
|
user.uid |
target.user.product_object_id |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
group.domain |
principal.user.group_identifiers |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
session.uid_alt |
additional.fields[session_uid_alt] |
|
session.count |
additional.fields[session_count] |
|
session.expiration_reason |
additional.fields[session_expiration_reason] |
|
session.is_mfa |
additional.fields[session_is_mfa] |
|
session.terminal |
additional.fields[session_terminal] |
|
session.is_vpn |
additional.fields[session_is_vpn] |
|
user.ldap_person.cost_center |
target.user.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.cost_center log field value is not empty then, user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
user.ldap_person.created_time |
target.user.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.created_time log field value is not empty then, user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[user_ldap_person_created_time] UDM field. |
user.ldap_person.deleted_time |
target.user.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.deleted_time log field value is not empty then, user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
user.ldap_person.email_addrs |
target.user.email_addresses |
If the user.ldap_person.email_addrs log field value is not empty then, user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. |
user.ldap_person.employee_uid |
target.user.employee_uid |
If the user.ldap_person.employee_uid log field value is not empty then,. |
user.ldap_person.location |
target.user.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.location log field value is not empty then, user.ldap_person.location log field is mapped to the target.user.attribute.labels[user_ldap_person_location] UDM field. |
user.ldap_person.given_name |
target.user.first_name |
If the user.ldap_person.given_name log field value is not empty then, user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. |
user.ldap_person.hire_time |
target.user.hire_date |
If the user.ldap_person.hire_time log field value is not empty then, user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. |
user.ldap_person.job_title |
target.user.title |
If the user.ldap_person.job_title log field value is not empty then, user.ldap_person.job_title log field is mapped to the target.user.title UDM field. |
user.ldap_person.ldap_cn |
target.user.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.ldap_cn log field value is not empty then, user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
user.ldap_person.ldap_dn |
target.user.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.ldap_dn log field value is not empty then, user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
user.ldap_person.labels |
target.user.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.labels log field value is not empty then, user.ldap_person.labels log field is mapped to the target.user.attribute.labels[user_ldap_person_labels] UDM field. |
user.ldap_person.last_login_time |
target.user.last_login_time |
If the user.ldap_person.last_login_time log field value is not empty then, user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. |
user.ldap_person.leave_time |
target.user.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.leave_time log field value is not empty then, user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
user.ldap_person.modified_time |
target.user.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.modified_time log field value is not empty then, user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
user.ldap_person.office_location |
target.user.office_address.name |
If the user.ldap_person.office_location log field value is not empty then, user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. |
user.ldap_person.surname |
target.user.last_name |
If the user.ldap_person.surname log field value is not empty then, user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. |
user.ldap_person.manager.cost_center |
target.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_cost_center] UDM field. |
user.ldap_person.manager.created_time |
target.user.managers.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.manager.created_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_created_time] UDM field. |
user.ldap_person.manager.deleted_time |
target.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_deleted_time] UDM field. |
user.ldap_person.manager.email_addrs |
target.user.managers.email_addresses |
If the user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. |
user.ldap_person.manager.employee_uid |
target.user.managers.employee_uid |
If the user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.employee_uid log field is mapped to the target.user.managers.employee_uid UDM field. |
user.ldap_person.manager.location |
target.user.managers.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.manager.location log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_location] UDM field. |
user.ldap_person.manager.given_name |
target.user.managers.first_name |
If the user.ldap_person.manager.given_name log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. |
user.ldap_person.manager.hire_time |
target.user.managers.hire_date |
If the user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. |
user.ldap_person.manager.job_title |
target.user.managers.title |
If the user.ldap_person.manager.job_title log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. |
user.ldap_person.manager.ldap_cn |
target.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_ldap_cn] UDM field. |
user.ldap_person.manager.ldap_dn |
target.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_ldap_dn] UDM field. |
user.ldap_person.manager.labels |
target.user.managers.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.manager.labels log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_labels] UDM field. |
user.ldap_person.manager.last_login_timelast_login_time |
target.user.managers.last_login_time |
If the user.ldap_person.manager.last_login_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. |
user.ldap_person.manager.leave_time |
target.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_leave_time] UDM field. |
user.ldap_person.manager.modified_time |
target.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_modified_time] UDM field. |
user.ldap_person.manager.office_locationoffice_location |
target.user.managers.office_address.name |
If the user.ldap_person.manager.office_location log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. |
user.ldap_person.manager.surname |
target.user.managers.last_name |
If the user.ldap_person.manager.surname log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. |
user.groups.domain |
target.user.group_identifiers |
If the actor.process.user.groups log field value is not empty then,iterate through log field user.groups, then user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. |
Field mapping reference: OCSF Security Finding
The following table lists the log fields for theSecurity Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Security Finding then, the metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
activity_name |
network.http.response_code |
|
api.response.message |
metadata.description |
|
api.service.name |
target.application |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
classname |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
confidence |
security_result.confidence |
If the confidence log field value matches the regular expression pattern Low then, the security_result.confidence UDM field is set to LOW_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern Medium then, the security_result.confidence UDM field is set to MEDIUM_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern High then, the security_result.confidence UDM field is set to HIGH_CONFIDENCE. Else, the security_result.confidence UDM field is set to UNKNOWN_CONFIDENCE. |
confidence_score |
security_result.confidence_details |
|
finding.desc |
security_result.description |
|
finding.product_uid |
principal.asset_id |
|
finding.remediation.desc |
security_result.outcomes [finding_remediation_desc] |
|
finding.remediation.kb_articles |
security_result.outcomes [finding_remediation_kb_articles] |
|
finding.src_url |
security_result.url_back_to_product |
|
finding.title |
security_result.summary |
|
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.hostname |
Iterate through log field observables.type_id, thenif the observables.type_id log field value is equal to 1 and if the observer.hostname log field value is empty then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 and if the observer.user.userid log field value is empty then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 and if the observer.url log field value is empty then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 and if the observer.file.vhash log field value is empty then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 and if the observer.resource.product_object_id log field value is empty then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
|
observables.value |
observer.mac |
|
observables.value |
observer.user.userid |
|
observables.value |
observer.user.email_addresses |
|
observables.value |
observer.url |
|
observables.value |
observer.file.names |
|
observables.value |
observer.file.vhash |
|
observables.value |
observer.process.file.names |
|
observables.value |
observer.resource.product_object_id |
|
process.cmd_line |
principal.process.command_line |
|
process.file.mime_type |
principal.process.file.mime_type |
|
process.file.modified_time |
principal.process.file.last_modification_time |
|
process.file.name |
principal.process.file.names |
|
process.file.path |
principal.process.file.full_path |
|
process.file.size |
principal.process.file.size |
|
process.file.created_time |
principal.process.file.first_seen_time |
|
process.file.accessed_time |
principal.process.file.last_seen_time |
|
process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
process.parent_process.file.name |
principal.process.parent_process.file.names |
|
process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
process.parent_process.file.size |
principal.process.parent_process.file.size |
|
process.parent_process.pid |
principal.process.parent_process.pid |
|
process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
process.parent_process.user.domain |
principal.administrative_domain |
If the process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
process.parent_process.user.email_addr |
principal.user.email_addresses |
If the process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
process.parent_process.user.full_name |
principal.user.user_display_name |
If the process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
process.parent_process.user.groups.name |
principal.group.group_display_name |
If the process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
process.parent_process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
process.parent_process.user.groups.uid |
principal.user.group_identifiers |
If the process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
process.parent_process.user.name |
principal.user.userid |
If the process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
process.parent_process.user.org.name |
principal.user.company_name |
If the process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
process.parent_process.user.org.ou_name |
principal.user.department |
If the process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
process.parent_process.user.type_id |
principal.user.attribute.roles.name |
If the process.user.type_id log field value is not empty and if the process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if process.parent_process.user.type_id log field value is not empty and if the process.parent_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.parent_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.parent_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.parent_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
process.parent_process.user.uid |
principal.user.product_object_id |
If the process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
process.pid |
principal.process.pid |
|
process.uid |
principal.process.product_specific_process_id |
|
process.user.domain |
principal.administrative_domain |
If the process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
process.user.email_addr |
principal.user.email_addresses |
If the process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
process.user.full_name |
principal.user.user_display_name |
If the process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
process.user.groups.name |
principal.group.group_display_name |
If the process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
process.user.groups.uid |
principal.user.group_identifiers |
If the process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
process.user.name |
principal.user.userid |
If the process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
process.user.org.name |
principal.user.company_name |
If the process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
process.user.org.ou_name |
principal.user.department |
If the process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
process.user.type_id |
principal.user.attribute.roles.name |
If the process.user.type_id log field value is not empty and if the process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if process.parent_process.user.type_id log field value is not empty and if the process.parent_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.parent_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.parent_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.parent_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
process.user.uid |
principal.user.product_object_id |
If the process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
resources.name |
target.resource.name |
|
resources.type |
target.resource.resource_subtype |
|
resources.uid |
target.resource.product_object_id |
|
risk_score |
security_result.risk_score |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
time |
metadata.event_timestamp |
|
vulnerabilities.cve.created_time |
extensions.vulns.vulnerabilities.first_found |
|
vulnerabilities.cve.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
vulnerabilities.cve.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
vulnerabilities.cve.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
vulnerabilities.cve.product.name |
extensions.vulns.vulnerabilities.about.application |
|
vulnerabilities.cve.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
vulnerabilities.cve.type |
extensions.vulns.vulnerabilities.description |
|
vulnerabilities.cve.uid |
extensions.vulns.vulnerabilities.cve_id |
|
vulnerabilities.severity |
extensions.vulns.vulnerabilities.severity |
|
vulnerabilities.title |
extensions.vulns.vulnerabilities.name |
|
vulnerabilities.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
analytic.desc |
security_result.detection_fields [analytic_desc] |
|
analytic.name |
security_result.detection_fields [analytic_name] |
|
analytic.relatedAnalytics.category |
security_result.detection_fields [analytic_related_analytics_category] |
|
analytic.relatedAnalytics.name |
security_result.detection_fields [analytic_related_analytics_name] |
|
analytic.relatedAnalytics.type |
security_result.detection_fields [analytic_related_analytics_type] |
|
analytic.relatedAnalytics.typeId |
security_result.detection_fields [analytic_related_analytics_typeId] |
|
analytic.relatedAnalytics.uid |
security_result.detection_fields [analytic_related_analytics_uid] |
|
analytic.type |
security_result.detection_fields [analytic_type] |
|
analytic.typeId |
security_result.detection_fields [analytic_typeId] |
|
finding.uid |
security_result.detection_fields [finding_uid] |
|
finding.first_seen_time |
security_result.first_discovered_time |
|
finding.created_time |
security_result.detection_fields [finding_created_time] |
|
finding.last_seen_time |
security_result.detection_fields [finding_last_seen_time] |
|
confidence_id |
security_result.detection_fields [confidence_id] |
|
data_sources |
security_result.detection_fields [data_sources] |
|
impact |
security_result.detection_fields [impact] |
|
impact_id |
security_result.detection_fields [impact_id] |
|
impact_score |
security_result.detection_fields [impact_score] |
|
malware.classification_ids |
security_result.detection_fields [malware.classification_ids] |
|
malware.classifications |
security_result.detection_fields [malware.classifications] |
|
risk_level |
security_result.detection_fields [risk_level] |
|
risk_level_id |
security_result.detection_fields [risk_level_id] |
|
state |
security_result.detection_fields [state] |
|
state_id |
security_result.detection_fields [state_id] |
|
count |
security_result.detection_fields [count] |
|
end_time |
security_result.detection_fields [end_time] |
|
enrichments.name |
security_result.detection_fields [enrichments_name] |
|
enrichments.provider |
security_result.detection_fields [enrichments_provider] |
|
enrichments.type |
security_result.detection_fields [enrichments_type] |
|
enrichments.value |
security_result.detection_fields [enrichments_value] |
|
metadata.log_name |
about.labels [metadata_log_name] |
|
metadata.log_provider |
about.labels [metadata_log_provider] |
|
metadata.modified_time |
about.labels [metadata_modified_time] |
|
metadata.original_time |
about.labels [metadata_original_time] |
|
metadata.product.lang |
about.labels [metadata_product_lang] |
|
metadata.version |
about.labels [metadata_version] |
|
metadata.log_name |
additional.fields [metadata_log_name] |
|
metadata.log_provider |
additional.fields [metadata_log_provider] |
|
metadata.modified_time |
additional.fields [metadata_modified_time] |
|
metadata.original_time |
additional.fields [metadata_original_time] |
|
metadata.product.lang |
additional.fields [metadata_product_lang] |
|
metadata.version |
additional.fields [metadata_version] |
|
severity |
security_result.severity_details |
|
class_uid |
about.labels [class_uid] |
|
metadata.labels |
about.labels [metadata_labels] |
|
raw_data |
about.labels [raw_data] |
|
metadata.product.feature.name |
about.labels [metadata_product_feature_name] |
|
metadata.product.feature.uid |
about.labels [metadata_product_feature_uid] |
|
metadata.profiles |
about.labels [metadata_profiles] |
|
process.created_time |
principal.labels [process_created_time] |
|
process.file.type_id |
principal.labels [process_file_type_id] |
|
process.terminated_time |
principal.labels [process_terminated_time] |
|
status |
security_result.detection_fields [status] |
|
status_code |
security_result.detection_fields [status_code] |
|
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
cloud.account_uid |
about.resource.attribute.labels [cloud_account_uid] |
|
compliance.requirements |
security_result.detection_fields [compliance_requirements] |
|
compliance.status |
security_result.detection_fields [compliance_status] |
|
compliance.status_detail |
security_result.detection_fields [compliance_status_detail] |
|
finding.modified_time |
security_result.detection_fields [finding_modified_time] |
|
finding.related_events.product_uid |
security_result.detection_fields [finding_related_events_product_uid] |
|
finding.related_events.uid |
security_result.detection_fields [finding_related_events_uid] |
|
finding.types |
security_result.detection_fields [finding_types] |
|
malware.path |
security_result.detection_fields [malware_path] |
|
resources.cloud_partition |
target.resource.attribute.labels [resources_cloud_partition] |
|
resources.details |
target.resource.attribute.labels [resources_details] |
|
resources.labels |
target.resource.attribute.labels [resources_labels] |
|
resources.region |
target.location.name |
|
vulnerabilities.cve.modified_time |
extensions.vulns.vulnerabilities.about.labels [vuln_cve_modified_time] |
|
vulnerabilities.kb_articles |
extensions.vulns.vulnerabilities.about.labels [vuln_kb_articles] |
|
vulnerabilities.packages.architecture |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_name] |
|
vulnerabilities.packages.release |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_release] |
|
vulnerabilities.packages.version |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_version] |
|
vulnerabilities.references |
extensions.vulns.vulnerabilities.about.labels [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
extensions.vulns.vulnerabilities.about.labels [vuln_related_vulnerabilities] |
|
vulnerabilities.cve.modified_time |
additional.fields [vuln_cve_modified_time] |
|
vulnerabilities.kb_articles |
additional.fields [vuln_kb_articles] |
|
vulnerabilities.packages.architecture |
additional.fields [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
additional.fields [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
additional.fields [vuln_packages_name] |
|
vulnerabilities.packages.release |
additional.fields [vuln_packages_release] |
|
vulnerabilities.packages.version |
additional.fields [vuln_packages_version] |
|
vulnerabilities.references |
additional.fields [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
additional.fields [vuln_related_vulnerabilities] |
|
compliance.control |
security_result.detection_fields[compliance_control] |
|
compliance.standards |
security_result.detection_fields[compliance_standards] |
Iterate through log field compliance.standards, then compliance.standards log field is mapped to the security_result.detection_fields[compliance_standards] UDM field. |
compliance.status_code |
security_result.detection_fields[compliance_status_code] |
|
compliance.status_id |
security_result.detection_fields[compliance_status_id] |
|
finding.related_events.kill_chain.phase |
security_result.detection_fields[related_events_kill_chain_phase] |
Iterate through log field finding.related_events, theniterate through log field findind.related_events.kill_chain, then finding.related_events.kill_chain.phase log field is mapped to the security_result.detection_fields[related_events_kill_chain_phase] UDM field. |
finding.related_events.kill_chain.phase_id |
security_result.detection_fields[related_events_kill_chain_phase_id] |
Iterate through log field finding.related_events, theniterate through log field findind.related_events.kill_chain, then finding.related_events.kill_chain.phase_id log field is mapped to the security_result.detection_fields[related_events_kill_chain_phase_id] UDM field. |
finding.remediation.kb_article_list.os.name |
security_result.outcomes[finding_remediation_kb_article_list_os_name] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.os.name log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_os_name] UDM field. |
finding.remediation.kb_article_list.os.type_id |
security_result.outcomes[finding_remediation_kb_article_list_os_type_id] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.os.type_id log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_os_type_id] UDM field. |
finding.remediation.kb_article_list.severity |
security_result.outcomes[finding_remediation_kb_article_list_severity] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.severity log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_severity] UDM field. |
finding.remediation.kb_article_list.title |
security_result.outcomes[finding_remediation_kb_article_list_title] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.title log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_title] UDM field. |
finding.remediation.kb_article_list.uid |
security_result.outcomes[finding_remediation_kb_article_list_uid] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.uid log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_uid] UDM field. |
finding.remediation.kb_article_list.product.name |
security_result.outcomes[finding_remediation_kb_article_list_product_name] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.product.name log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_product_name] UDM field. |
finding.remediation.kb_article_list.product.uid |
security_result.outcomes[finding_remediation_kb_article_list_product_uid] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.product.uid log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_product_uid] UDM field. |
finding.remediation.kb_article_list.product.vendor_name |
security_result.outcomes[finding_remediation_kb_article_list_product_vendor_name] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.product.vendor_name log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_product_vendor_name] UDM field. |
finding.remediation.kb_article_list.product.version |
security_result.outcomes[finding_remediation_kb_article_list_product_version] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.product.version log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_product_version] UDM field. |
finding.remediation.reference |
security_result.outcomes[finding_remediation_reference] |
Iterate through log field finding.remediation.reference, then finding.remediation.reference log field is mapped to the security_result.outcomes[finding_remediation_reference] UDM field. |
finding.related_events.attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
Iterate through log field finding.related_events, theniterate through log field finding.related_events.attack, then finding.related_events.attacks.sub_technique.name log field is mapped to the security_result.attack_details.techniques.subtechnique_name UDM field. |
finding.related_events.attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
Iterate through log field finding.related_events, theniterate through log field finding.related_events.attack, then finding.related_events.attacks.sub_technique.uid log field is mapped to the security_result.attack_details.techniques.subtechnique_id UDM field. |
finding.related_events.attacks.sub_technique.src_url |
security_result.outcomes[finding_related_events_attacks_sub_technique_src_url] |
Iterate through log field finding.related_events.attacks, then finding.related_events.attacks.sub_technique.src_url log field is mapped to the security_result.outcomes[finding_related_events_attacks_sub_technique_src_url] UDM field. |
attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
Iterate through log field finding.related_events.attacks, then attacks.sub_technique.name log field is mapped to the security_result.attack_details.techniques.subtechnique_name UDM field. |
attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
Iterate through log field finding.related_events.attacks, then attacks.sub_technique.uid log field is mapped to the security_result.attack_details.techniques.subtechnique_id UDM field. |
attacks.sub_technique.src_url |
security_result.detection_fields[attacks_sub_technique_src_url] |
Iterate through log field finding.related_events.attacks, then attacks.sub_technique.src_url log field is mapped to the security_result.outcomes[finding_related_events_attacks_sub_technique_src_url] UDM field. |
malware.cvec.title |
extensions.vulns.vulnerabilities.description |
|
malware.cves.product.cpe_name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_product_cpe_name] |
Iterate through log field malware.cves, then malware.cves.product.cpe_name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_product_cpe_name] UDM field. |
malware.cves.epass.created_time |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_created_time] |
Iterate through log field malware.cves, then malware.cves.epass.created_time log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_created_time] UDM field. |
malware.cves.epass.score |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_score] |
Iterate through log field malware.cves, then malware.cves.epass.score log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_score] UDM field. |
malware.cves.epass.percentile |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_percentile] |
Iterate through log field malware.cves, then malware.cves.epass.percentile log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_percentile] UDM field. |
malware.cves.epass.version |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_version] |
Iterate through log field malware.cves, then malware.cves.epass.version log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_version] UDM field. |
malware.cves.reference |
additional.fields[malware_cves_reference] |
Iterate through log field malware.cves.reference, then malware.cves.reference log field is mapped to the additional.fields[malware_cves_reference] UDM field. |
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
actor.session.uid |
network.session_id |
If the actor.sesion.uid log field value is not empty then, actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid log field value is not empty then, process.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid_alt log field value is not empty then, process.session.uid_alt log field is mapped to the network.session_id UDM field. |
process.session.uid |
network.session_id |
If the actor.sesion.uid log field value is not empty then, actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid log field value is not empty then, process.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid_alt log field value is not empty then, process.session.uid_alt log field is mapped to the network.session_id UDM field. |
process.session.uid_alt |
network.session_id |
If the actor.sesion.uid log field value is not empty then, actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid log field value is not empty then, process.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid_alt log field value is not empty then, process.session.uid_alt log field is mapped to the network.session_id UDM field. |
process.session.expiration_reason |
additonal.fields[process_session_expiration_reason] |
|
process.user.ldap_person.cost_center |
principal.user.attribute.labels[process_user_ldap_person_cost_center] |
|
process.user.ldap_person.created_time |
principal.user.attribute.labels[process_user_ldap_person_created_time] |
|
process.user.ldap_person.deleted_time |
principal.user.attribute.labels[process_user_ldap_person_deleted_time] |
|
process.user.ldap_person.email_addrs |
principal.user.email_addresses |
|
process.user.ldap_person.employee_uid |
principal.user.employee_uid |
|
process.user.ldap_person.location |
principal.user.attribute.labels[process_user_ldap_person_location] |
|
process.user.ldap_person.given_name |
principal.user.first_name |
|
process.user.ldap_person.hire_time |
principal.user.hire_date |
|
process.user.ldap_person.job_title |
principal.user.title |
|
process.user.ldap_person.ldap_cn |
principal.user.attribute.labels[process_user_ldap_person_ldap_cn] |
|
process.user.ldap_person.ldap_dn |
principal.user.attribute.labels[process_user_ldap_person_ldap_dn] |
|
process.user.ldap_person.labels |
principal.user.attribute.labels[process_user_ldap_person_labels] |
|
process.user.ldap_person.last_login_time |
principal.user.last_login_time |
|
process.user.ldap_person.leave_time |
principal.user.attribute.labels[process_user_ldap_person_leave_time] |
|
process.user.ldap_person.modified_time |
principal.user.attribute.labels[process_user_ldap_person_modified_time] |
|
process.user.ldap_person.office_location |
principal.user.office_address.name |
|
process.user.ldap_person.surname |
principal.user.last_name |
|
process.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[process_user_ldap_person_cost_center] |
|
process.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[process_user_ldap_person_created_time] |
|
process.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[process_user_ldap_person_deleted_time] |
|
process.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
|
process.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
|
process.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[process_user_ldap_person_location] |
|
process.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
|
process.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
|
process.user.ldap_person.manager.job_title |
principal.user.managers.title |
|
process.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[process_user_ldap_person_ldap_cn] |
|
process.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[process_user_ldap_person_ldap_dn] |
|
process.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[process_user_ldap_person_labels] |
|
process.user.ldap_person.manager.last_login_time |
principal.user.managers.last_login_time |
|
process.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[process_user_ldap_person_leave_time] |
|
process.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[process_user_ldap_person_modified_time] |
|
process.user.ldap_person.manager.office_location |
principal.user.managers.office_address.name |
|
process.user.ldap_person.manager.surname |
principal.user.managers.last_name |
|
process.user.groups.domain |
principal.user.group_identifiers |
|
resources.owner.ldap_person.cost_center |
about.user.attribute.labels[process_user_ldap_person_cost_center] |
Iterate through log field resources, then resources.owner.ldap_person.cost_center log field is mapped to the about.user.attribute.labels[process_user_ldap_person_cost_center] UDM field. |
resources.owner.ldap_person.created_time |
about.user.attribute.labels[process_user_ldap_person_created_time] |
Iterate through log field resources, then resources.owner.ldap_person.created_time log field is mapped to the about.user.attribute.labels[process_user_ldap_person_created_time] UDM field. |
resources.owner.ldap_person.deleted_time |
about.user.attribute.labels[process_user_ldap_person_deleted_time] |
Iterate through log field resources, then resources.owner.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels[process_user_ldap_person_deleted_time] UDM field. |
resources.owner.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field resources, then resources.owner.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
resources.owner.ldap_person.employee_uid |
about.user.employee_uid |
Iterate through log field resources, then resources.owner.ldap_person.employee_uid log field is mapped to the about.user.employee_uid UDM field. |
resources.owner.ldap_person.location |
about.user.attribute.labels[process_user_ldap_person_location] |
Iterate through log field resources, then resources.owner.ldap_person.location log field is mapped to the about.user.attribute.labels[process_user_ldap_person_location] UDM field. |
resources.owner.ldap_person.given_name |
about.user.first_name |
Iterate through log field resources, then resources.owner.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
resources.owner.ldap_person.hire_time |
about.user.hire_date |
Iterate through log field resources, then resources.owner.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
resources.owner.ldap_person.job_title |
about.user.title |
Iterate through log field resources, then resources.owner.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
resources.owner.ldap_person.ldap_cn |
about.user.attribute.labels[process_user_ldap_person_ldap_cn] |
Iterate through log field resources, then resources.owner.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels[process_user_ldap_person_ldap_cn] UDM field. |
resources.owner.ldap_person.ldap_dn |
about.user.attribute.labels[process_user_ldap_person_ldap_dn] |
Iterate through log field resources, then resources.owner.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels[process_user_ldap_person_ldap_dn] UDM field. |
resources.owner.ldap_person.labels |
about.user.attribute.labels[process_user_ldap_person_labels] |
Iterate through log field resources, then resources.owner.ldap_person.labels log field is mapped to the about.user.attribute.labels[process_user_ldap_person_labels] UDM field. |
resources.owner.ldap_person.last_login_time |
about.user.last_login_time |
Iterate through log field resources, then resources.owner.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
resources.owner.ldap_person.leave_time |
about.user.attribute.labels[process_user_ldap_person_leave_time] |
Iterate through log field resources, then resources.owner.ldap_person.leave_time log field is mapped to the about.user.attribute.labels[process_user_ldap_person_leave_time] UDM field. |
resources.owner.ldap_person.modified_time |
about.user.attribute.labels[process_user_ldap_person_modified_time] |
Iterate through log field resources, then resources.owner.ldap_person.modified_time log field is mapped to the about.user.attribute.labels[process_user_ldap_person_modified_time] UDM field. |
resources.owner.ldap_person.office_location |
about.user.office_address.name |
Iterate through log field resources, then resources.owner.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
resources.owner.ldap_person.surname |
about.user.last_name |
Iterate through log field resources, then resources.owner.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
resources.owner.ldap_person.manager.cost_center |
about.user.managers.attribute.labels[process_user_ldap_person_cost_center] |
Iterate through log field resources, then resources.owner.ldap_person.manager.cost_center log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_cost_center] UDM field. |
resources.owner.ldap_person.manager.created_time |
about.user.managers.attribute.labels[process_user_ldap_person_created_time] |
Iterate through log field resources, then resources.owner.ldap_person.manager.created_time log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_created_time] UDM field. |
resources.owner.ldap_person.manager.deleted_time |
about.user.managers.attribute.labels[process_user_ldap_person_deleted_time] |
Iterate through log field resources, then resources.owner.ldap_person.manager.deleted_time log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_deleted_time] UDM field. |
resources.owner.ldap_person.manager.email_addrs |
about.user.managers.email_addresses |
Iterate through log field resources, then resources.owner.ldap_person.manager.email_addrs log field is mapped to the about.user.managers.email_addresses UDM field. |
resources.owner.ldap_person.manager.employee_uid |
about.user.managers.employee_uid |
Iterate through log field resources, then resources.owner.ldap_person.manager.employee_uid log field is mapped to the about.user.managers.employee_uid UDM field. |
resources.owner.ldap_person.manager.location |
about.user.managers.attribute.labels[process_user_ldap_person_location] |
Iterate through log field resources, then resources.owner.ldap_person.manager.location log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_location] UDM field. |
resources.owner.ldap_person.manager.given_name |
about.user.managers.first_name |
Iterate through log field resources, then resources.owner.ldap_person.manager.given_name log field is mapped to the about.user.managers.first_name UDM field. |
resources.owner.ldap_person.manager.hire_time |
about.user.managers.hire_date |
Iterate through log field resources, then resources.owner.ldap_person.manager.hire_time log field is mapped to the about.user.managers.hire_date UDM field. |
resources.owner.ldap_person.manager.job_title |
about.user.managers.title |
Iterate through log field resources, then resources.owner.ldap_person.manager.job_title log field is mapped to the about.user.managers.title UDM field. |
resources.owner.ldap_person.manager.ldap_cn |
about.user.managers.attribute.labels[process_user_ldap_person_ldap_cn] |
Iterate through log field resources, then resources.owner.ldap_person.manager.ldap_cn log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_ldap_cn] UDM field. |
resources.owner.ldap_person.manager.ldap_dn |
about.user.managers.attribute.labels[process_user_ldap_person_ldap_dn] |
Iterate through log field resources, then resources.owner.ldap_person.manager.ldap_dn log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_ldap_dn] UDM field. |
resources.owner.ldap_person.manager.labels |
about.user.managers.attribute.labels[process_user_ldap_person_labels] |
Iterate through log field resources, then resources.owner.ldap_person.manager.labels log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_labels] UDM field. |
resources.owner.ldap_person.manager.last_login_time |
about.user.managers.last_login_time |
Iterate through log field resources, then resources.owner.ldap_person.manager.last_login_time log field is mapped to the about.user.managers.last_login_time UDM field. |
resources.owner.ldap_person.manager.leave_time |
about.user.managers.attribute.labels[process_user_ldap_person_leave_time] |
Iterate through log field resources, then resources.owner.ldap_person.manager.leave_time log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_leave_time] UDM field. |
resources.owner.ldap_person.manager.modified_time |
about.user.managers.attribute.labels[process_user_ldap_person_modified_time] |
Iterate through log field resources, then resources.owner.ldap_person.manager.modified_time log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_modified_time] UDM field. |
resources.owner.ldap_person.manager.office_location |
about.user.managers.office_address.name |
Iterate through log field resources, then resources.owner.ldap_person.manager.office_location log field is mapped to the about.user.managers.office_address.name UDM field. |
resources.owner.ldap_person.manager.surname |
about.user.managers.last_name |
Iterate through log field resources, then resources.owner.ldap_person.manager.surname log field is mapped to the about.user.managers.last_name UDM field. |
resource.owner.groups.domain |
about.user.group_identifiers |
Iterate through log field resources, theniterate through log field resource.owner.groups, then resource.owner.groups.domain log field is mapped to the about.user.group_identifiers UDM field. |
vulnerabilities.is_exploit_available |
additional.fields[vulnerabilities_is_exploit_available] |
Iterate through log field vulnerabilities, then vulnerabilities.is_exploit_available log field is mapped to the additional.fields[vulnerabilities_is_exploit_available] UDM field. |
vulnerabilities.is_fix_available |
additional.fields[vulnerabilities_is_fix_available] |
Iterate through log field vulnerabilities, then vulnerabilities.is_fix_available log field is mapped to the additional.fields[vulnerabilities_is_fix_available] UDM field. |
vulnerabilities.cve.title |
additional.fields[vulnerabilities_cve_title] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.title log field is mapped to the additional.fields[vulnerabilities_cve_title] UDM field. |
vulnerabilities.cve.references |
additional.fields[vulnerabilities_cve_references] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.cve.references, then vulnerabilities.cve.references log field is mapped to the additional.fields[vulnerabilities_cve_references] UDM field. |
vulnerabilities.first_seen_time |
extensions.vulns.vulnerabilities.first_found |
Iterate through log field vulnerabilities, thenif the vulnerabilities.cve.created_time log field value is not empty then, vulnerabilities.cve.created_time log field is mapped to the extensions.vulns.vulnerabilities.first_found UDM field. Else, vulnerabilities.first_seen_time log field is mapped to the extensions.vulns.vulnerabilities.first_found UDM field. |
vulnerabilities.last_seen_time |
extensions.vulns.vulnerabilities.last_found |
Iterate through log field vulnerabilities, then vulnerabilities.last_seen_time log field is mapped to the extensions.vulns.vulnerabilities.last_found UDM field. |
vulnerabilities.cve.desc |
extensions.vulns.vulnerabilities.cve_description |
Iterate through log field vulnerabilities, then vulnerabilities.cve.desc log field is mapped to the extensions.vulns.vulnerabilities.cve_description UDM field. |
vulnerabilities.kb_article_list.os.name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.os.name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_name] UDM field. |
vulnerabilities.kb_article_list.os.type |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.os.type log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type] UDM field. |
vulnerabilities.kb_article_list.os.type_id |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type_id] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.os.type_id log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type_id] UDM field. |
vulnerabilities.kb_article_list.product.name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.product.name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_name] UDM field. |
vulnerabilities.kb_article_list.product.uid |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_uid] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.product.uid log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_uid] UDM field. |
vulnerabilities.kb_article_list.product.vendor_name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_vendor_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.product.vendor_name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_vendor_name] UDM field. |
vulnerabilities.kb_article_list.title |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_title] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.title log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_title] UDM field. |
vulnerabilities.kb_article_list.uid |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_uid] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.uid log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_uid] UDM field. |
vulnerabilities.kb_article_list.bulletin |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_bulletin] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.bulletin log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_bulletin] UDM field. |
vulnerabilities.kb_article_list.classification |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_classification] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.classification log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_classification] UDM field. |
vulnerabilities.kb_article_list.created_time |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_created_time] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.created_time log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_created_time] UDM field. |
vulnerabilities.kb_article_list.severity |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_severity] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.severity log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_severity] UDM field. |
vulnerabilities.kb_article_list.size |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_size] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.size log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_size] UDM field. |
vulnerabilities.kb_article_list.src_url |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_src_url] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.src_url log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_src_url] UDM field. |
vulnerabilities.kb_article_list.is_superseded |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_is_superseded] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.is_superseded log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_is_superseded] UDM field. |
vulnerabilities.remediation.reference |
additional.fields[vulnerabilities_remediation_references] |
Iterate through log field vulnerabilities, then vulnerabilities.remediation.reference log field is mapped to the additional.fields[vulnerabilities_remediation_references] UDM field. |
vulnerabilities.affected_code.end_line |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_end_line] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.end_line log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_end_line] UDM field. |
vulnerabilities.affected_code.start_line |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_start_line] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.start_line log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_start_line] UDM field. |
vulnerabilities.affected_code.file.mime_type |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_mime_type] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.mime_type log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_mime_type] UDM field. |
vulnerabilities.affected_code.file.path |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_path] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.path log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_path] UDM field. |
vulnerabilities.affected_code.file.modified_time |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_modified_time] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.modified_time log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_modified_time] UDM field. |
vulnerabilities.affected_code.file.created_time |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_created_time] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.created_time log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_created_time] UDM field. |
vulnerabilities.affected_code.file.accessed_time |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_accessed_time] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.accessed_time log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_accessed_time] UDM field. |
vulnerabilities.affected_code.file.name |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.name log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_name] UDM field. |
vulnerabilities.affected_code.file.size |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_size] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.size log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_size] UDM field. |
vulnerabilities.affected_packages.architecture |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_architecture] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.architecture log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_architecture] UDM field. |
vulnerabilities.affected_packages.epoch |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_epoch] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.epoch log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_epoch] UDM field. |
vulnerabilities.affected_packages.name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_name] UDM field. |
vulnerabilities.affected_packages.release |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_release] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.release log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_release] UDM field. |
vulnerabilities.affected_packages.version |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_version] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.version log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_version] UDM field. |
vulnerabilities.cwe.uid |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.uid log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid] UDM field. |
vulnerabilities.cwe.caption |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.caption log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption] UDM field. |
vulnerabilities.cwe.src_url |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.src_url log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url] UDM field. |
vulnerabilities.cve.cwe.uid |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_uid] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.uid log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid] UDM field. |
vulnerabilities.cve.cwe.caption |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_caption] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.caption log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption] UDM field. |
vulnerabilities.cve.cwe.src_url |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_src_url] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.src_url log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url] UDM field. |
vulnerabilities.cve.epass.created_time |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_created_time] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.epass.created_time log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_created_time] UDM field. |
vulnerabilities.cve.epass.score |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_score] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.epass.score log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_score] UDM field. |
vulnerabilities.cve.epass.percentile |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_percentile] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.epass.percentile log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_percentile] UDM field. |
vulnerabilities.cve.epass.version |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_version] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.epass.version log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_version] UDM field. |
Field mapping reference: OCSF FTP Activity
The following table lists the log fields for theFTP Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
proxy.svc_name |
intermediary.application |
|
proxy.uid |
intermediary.asset_id |
|
proxy.domain |
intermediary.domain.name |
|
proxy.hostname |
intermediary.hostname |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
proxy.intermediate_ips |
intermediary.ip |
|
proxy.ip |
intermediary.ip |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
proxy.location.city |
intermediary.location.city |
|
proxy.location.country |
intermediary.location.country_or_region |
|
proxy.location.region |
intermediary.location.name |
|
proxy.location.coordinates.1 |
intermediary.location.region_coordinates.latitude |
|
proxy.location.coordinates.0 |
intermediary.location.region_coordinates.longitude |
|
proxy.mac |
intermediary.mac |
|
proxy.port |
intermediary.port |
|
metadata.logged_time |
metadata.collected_timestamp |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
message |
metadata.description |
|
time |
metadata.event_timestamp |
|
class_name |
metadata.log_type |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.uid |
metadata.product_log_id |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
connection_info.protocol_ver_id |
network.application_protocol_version |
If the connection_info.protocol_ver_id log field value is equal to 4 then, the network.application_protocol_version UDM field is set to Internet Protocol version 4 (IPv4). Else, if connection_info.protocol_ver_id log field value is equal to 6 then, the network.application_protocol_version UDM field is set to Internet Protocol version 6 (IPv6). |
connection_info.direction_id |
network.direction |
If the connection_info.direction_id log field value is equal to 1 then, the network.direction UDM field is set to INBOUND. Else, if connection_info.direction_id log field value is equal to 2 then, the network.direction UDM field is set to OUTBOUND. Else, the network.direction UDM field is set to UNKNOWN_DIRECTION. |
command |
network.ftp.command |
|
api.response.code |
network.http.response_code |
|
connection_info.protocol_num |
network.ip_protocol |
If the connection_info.protocol_num log field value is equal to 1 then, the network.ip_protocol UDM field is set to ICMP. Else, if connection_info.protocol_num log field value is equal to 2 then, the network.ip_protocol UDM field is set to IGMP. Else, if connection_info.protocol_num log field value is equal to 6 then, the network.ip_protocol UDM field is set to TCP. Else, if connection_info.protocol_num log field value is equal to 17 then, the network.ip_protocol UDM field is set to UDP. Else, if connection_info.protocol_num log field value is equal to 41 then, the network.ip_protocol UDM field is set to IP6IN4. Else, if connection_info.protocol_num log field value is equal to 47 then, the network.ip_protocol UDM field is set to GRE. Else, if connection_info.protocol_num log field value is equal to 50 then, the network.ip_protocol UDM field is set to ESP. Else, if connection_info.protocol_num log field value is equal to 58 then, the network.ip_protocol UDM field is set to ICMP6. Else, if connection_info.protocol_num log field value is equal to 88 then, the network.ip_protocol UDM field is set to EIGRP. Else, if connection_info.protocol_num log field value is equal to 97 then, the network.ip_protocol UDM field is set to ETHERIP. Else, if connection_info.protocol_num log field value is equal to 103 then, the network.ip_protocol UDM field is set to PIM. Else, if connection_info.protocol_num log field value is equal to 112 then, the network.ip_protocol UDM field is set to VRRP. Else, if connection_info.protocol_num log field value is equal to 132 then, the network.ip_protocol UDM field is set to SCTP. Else, the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL. |
traffic.bytes_out |
network.sent_bytes |
|
traffic.packets_out |
network.sent_packets |
|
traffic.bytes_in |
network.received_bytes |
|
traffic.packets_in |
network.received_packets |
|
actor.session.uid |
network.session_id |
|
tls.cipher |
network.tls.cipher |
|
tls.certificate.issuer |
network.tls.client.certificate.issuer |
|
tls.certificate.expiration_time |
network.tls.client.certificate.not_after |
|
tls.certificate.created_time |
network.tls.client.certificate.not_before |
|
tls.certificate.serial_number |
network.tls.client.certificate.serial |
|
tls.certificate.subject |
network.tls.client.certificate.subject |
|
tls.certificate.version |
network.tls.client.certificate.version |
|
tls.ja3_hash.value |
network.tls.client.ja3 |
|
tls.ja3s_hash.value |
network.tls.client.ja3s |
|
tls.sni |
network.tls.client.server_name |
|
tls.client_ciphers |
network.tls.client.supported_ciphers |
|
tls.version |
network.tls.version_protocol |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.domain |
principal.administrative_domain |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.hostname |
principal.asset.hostname |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.region |
principal.asset.location.name |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.domain |
principal.asset.network_domain |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.uid |
principal.asset.product_object_id |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
src_endpoint.domain |
principal.domain.name |
|
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
|
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.name |
principal.user.company_name |
|
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.user.org.ou_name |
principal.user.department |
|
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
|
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.full_name |
principal.user.user_display_name |
|
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.user.name |
principal.user.userid |
|
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.uid |
principal.user.product_object_id |
|
disposition_id |
security_result.action |
If the disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 4 then, the security_result.action UDM field is set to QUARANTINE. Else, the security_result.action UDM field is set to UNKNOWN_ACTION. |
disposition |
security_result.action_details |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
malware.uid |
security_result.threat_id |
|
malware.name |
security_result.threat_name |
|
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.svc_name |
target.application |
|
dst_endpoint.uid |
target.asset_id |
|
dst_endpoint.domain |
target.domain.name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
|
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
type_uid |
security_result.detection_fields[type_uid] |
|
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
tls.certificate.uid |
additional.fields[tls_certificate_uid] |
|
traffic.chunks |
additional.fields[traffic_chunks] |
|
traffic.chunks_in |
additional.fields[traffic_chunks_in] |
|
traffic.chunks_out |
additional.fields[traffic_chunks_out] |
Field mapping reference: OCSF Compliance Finding
The following table lists the log fields for theCompliance Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Compliance Finding then, the metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.signature.algorithm |
principal.process.file.signature_info.sigcheck.x509.algorithm |
|
actor.process.file.signature.certificate.issuer |
principal.process.file.signature_info.sigcheck.x509.cert_issuer |
|
actor.process.file.signature.certificate.serial_number |
principal.process.file.signature_info.sigcheck.x509.serial_number |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.session.uid |
network.session_id |
|
actor.user.domain |
principal.administrative_domain |
|
actor.user.email_addr |
principal.user.email_addresses |
|
actor.user.full_name |
principal.user.user_display_name |
|
actor.user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.user.name |
principal.user.userid |
|
actor.user.org.name |
principal.user.company_name |
|
actor.user.org.ou_name |
principal.user.department |
|
actor.user.type_id |
principal.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
|
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
api.response.error_message |
additional.fields[res_error_message] |
|
api.response.error |
additional.fields[res_error] |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
compliance.requirements |
security_result.detection_fields [compliance_requirements] |
|
compliance.status |
security_result.detection_fields [compliance_status] |
|
compliance.status_detail |
security_result.detection_fields [compliance_status_detail] |
|
confidence |
security_result.confidence |
If the confidence log field value matches the regular expression pattern Low then, the security_result.confidence UDM field is set to LOW_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern Medium then, the security_result.confidence UDM field is set to MEDIUM_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern High then, the security_result.confidence UDM field is set to HIGH_CONFIDENCE. Else, the security_result.confidence UDM field is set to UNKNOWN_CONFIDENCE. |
confidence_score |
security_result.confidence_details |
|
count |
security_result.detection_fields [count] |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
device.uid |
principal.asset.product_object_id |
|
end_time |
security_result.detection_fields [end_time] |
|
enrichments.name |
security_result.detection_fields [enrichments_name] |
|
enrichments.provider |
security_result.detection_fields [enrichments_provider] |
|
enrichments.type |
security_result.detection_fields [enrichments_type] |
|
enrichments.value |
security_result.detection_fields [enrichments_value] |
|
finding_info.analytic.desc |
security_result.detection_fields [finding_info_analytic_desc] |
|
finding_info.analytic.name |
security_result.analytics_metadata.analytic |
|
finding_info.analytic.related_analytics.category |
security_result.detection_fields [finding_info_analytic_related_analytics_category] |
|
finding_info.analytic.related_analytics.desc |
security_result.detection_fields [finding_info_analytic_related_analytics_desc] |
|
finding_info.analytic.related_analytics.name |
security_result.detection_fields [finding_info_analytic_related_analytics_name] |
|
finding_info.analytic.related_analytics.type |
security_result.detection_fields [finding_info_analytic_related_analytics_type] |
|
finding_info.analytic.related_analytics.type_id |
security_result.detection_fields [finding_info_analytic_related_analytics_typeId] |
|
finding_info.analytic.related_analytics.uid |
security_result.detection_fields [finding_info_analytic_related_analytics_uid] |
|
finding_info.analytic.type |
security_result.detection_fields [finding_info_analytic_type] |
|
finding_info.analytic.type_id |
security_result.detection_fields [finding_info_analytic_typeId] |
|
finding_info.attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
|
finding_info.attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
|
finding_info.attacks.tactic.name |
security_result.attack_details.tactics.name |
|
finding_info.attacks.tactic.uid |
security_result.attack_details.tactics.id |
|
finding_info.attacks.technique.name |
security_result.attack_details.techniques.name |
|
finding_info.attacks.technique.uid |
security_result.attack_details.techniques.id |
|
finding_info.attacks.version |
security_result.attack_details.version |
|
finding_info.created_time |
security_result.detection_fields [finding_info_created_time] |
|
finding_info.data_sources |
security_result.detection_fields[finding_info_data_sources] |
|
finding_info.desc |
security_result.description |
|
finding_info.first_seen_time |
security_result.first_discovered_time |
|
finding_info.last_seen_time |
security_result.detection_fields [finding_info_last_seen_time] |
|
finding_info.modified_time |
security_result.detection_fields [finding_info_modified_time] |
|
finding_info.product_uid |
principal.asset_id |
|
finding_info.related_events.product_uid |
security_result.detection_fields[finding_info_related_events_product_uid] |
|
finding_info.related_events.uid |
security_result.detection_fields [finding_info_related_events_uid] |
|
finding_info.src_url |
security_result.url_back_to_product |
|
finding_info.title |
security_result.summary |
|
finding_info.types |
security_result.detection_fields [finding_info_types] |
|
finding_info.uid |
security_result.detection_fields [finding_info_uid] |
|
message |
metadata.description |
|
metadata.labels |
additional.fields[metadata_labels] |
|
metadata.log_name |
additional.fields[metadata_log_name] |
|
metadata.log_provider |
additional.fields[metadata_log_provider] |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.modified_time |
additional.fields[metadata_modified_time] |
|
metadata.original_time |
additional.fields[metadata_original_time] |
|
metadata.product.feature.name |
additional.fields[metadata_product_feature_name] |
|
metadata.product.feature.uid |
additional.fields[metadata_product_feature_uid] |
|
metadata.product.lang |
additional.fields[metadata_product_lang] |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.profiles |
additional.fields[metadata_profiles] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.uid |
metadata.product_log_id |
|
metadata.version |
additional.fields[metadata_version] |
|
observables.value |
observer.file.names |
|
observables.value |
observer.file.vhash |
|
observables.value |
observer.hostname |
Iterate through log field observables.type_id, thenif the observables.type_id log field value is equal to 1 and if the observer.hostname log field value is empty then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 and if the observer.user.userid log field value is empty then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 and if the observer.url log field value is empty then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 and if the observer.file.vhash log field value is empty then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 and if the observer.resource.product_object_id log field value is empty then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
|
observables.value |
observer.mac |
|
observables.value |
observer.process.file.names |
|
observables.value |
observer.resource.product_object_id |
|
observables.value |
observer.url |
|
observables.value |
observer.user.email_addresses |
|
observables.value |
observer.user.userid |
|
raw_data |
additional.fields[raw_data] |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
status |
security_result.detection_fields [status] |
|
status_code |
security_result.detection_fields [status_code] |
|
time |
metadata.event_timestamp |
|
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
Field mapping reference: OCSF Detection Finding
The following table lists the log fields for theDetection Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Detection Finding then, the metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
|
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.signature.algorithm |
principal.process.file.signature_info.sigcheck.x509.algorithm |
|
actor.process.file.signature.certificate.issuer |
principal.process.file.signature_info.sigcheck.x509.cert_issuer |
|
actor.process.file.signature.certificate.serial_number |
principal.process.file.signature_info.sigcheck.x509.serial_number |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.session.uid |
network.session_id |
|
actor.user.domain |
principal.administrative_domain |
|
actor.user.email_addr |
principal.user.email_addresses |
|
actor.user.full_name |
principal.user.user_display_name |
|
actor.user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.user.name |
principal.user.userid |
|
actor.user.org.name |
principal.user.company_name |
|
actor.user.org.ou_name |
principal.user.department |
|
actor.user.type_id |
principal.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
api.response.code |
network.http.response_code |
|
api.response.error_message |
additional.fields[res_error_message] |
|
api.response.error |
additional.fields[res_error] |
|
attacks.sub_technique.name |
security_result.attack_details.technique.subtechnique_name |
|
attacks.sub_technique.uid |
security_result.attack_details.technique.subtechnique_id |
|
attacks.tactic.name |
security_result.attack_details.tactics.name |
|
attacks.tactic.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
|
category_uid |
security_result.category_details |
|
class_name |
metadata.log_type |
|
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
|
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
confidence |
security_result.confidence |
|
confidence_score |
security_result.confidence_details |
|
count |
security_result.detection_fields [count] |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
|
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
|
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
|
device.uid |
principal.asset.product_object_id |
|
end_time |
security_result.detection_fields [end_time] |
|
enrichments.name |
security_result.detection_fields [enrichments_name] |
|
enrichments.provider |
security_result.detection_fields [enrichments_provider] |
|
enrichments.type |
security_result.detection_fields [enrichments_type] |
|
enrichments.value |
security_result.detection_fields [enrichments_value] |
|
finding_info.analytic.desc |
security_result.detection_fields [finding_info_analytic_desc] |
|
finding_info.analytic.name |
security_result.analytics_metadata.analytic |
|
finding_info.analytic.related_analytics.category |
security_result.detection_fields [finding_info_analytic_related_analytics_category] |
|
finding_info.analytic.related_analytics.desc |
security_result.detection_fields [finding_info_analytic_related_analytics_desc] |
|
finding_info.analytic.related_analytics.name |
security_result.detection_fields [finding_info_analytic_related_analytics_name] |
|
finding_info.analytic.related_analytics.type |
security_result.detection_fields [finding_info_analytic_related_analytics_type] |
|
finding_info.analytic.related_analytics.type_id |
security_result.detection_fields [finding_info_analytic_related_analytics_typeId] |
|
finding_info.analytic.related_analytics.uid |
security_result.detection_fields [finding_info_analytic_related_analytics_uid] |
|
finding_info.analytic.type |
security_result.detection_fields [finding_info_analytic_type] |
|
finding_info.analytic.type_id |
security_result.detection_fields [finding_info_analytic_typeId] |
|
finding_info.attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
|
finding_info.attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
|
finding_info.attacks.tactic.name |
security_result.attack_details.tactics.name |
|
finding_info.attacks.tactic.uid |
security_result.attack_details.tactics.id |
|
finding_info.attacks.technique.name |
security_result.attack_details.techniques.name |
|
finding_info.attacks.technique.uid |
security_result.attack_details.techniques.id |
|
finding_info.attacks.version |
security_result.attack_details.version |
|
finding_info.created_time |
security_result.detection_fields [finding_info_created_time] |
|
finding_info.data_sources |
security_result.detection_fields[finding_info_data_sources] |
|
finding_info.desc |
security_result.description |
|
finding_info.first_seen_time |
security_result.first_discovered_time |
|
finding_info.last_seen_time |
security_result.detection_fields [finding_info_last_seen_time] |
|
finding_info.modified_time |
security_result.detection_fields [finding_info_modified_time] |
|
finding_info.product_uid |
principal.asset_id |
|
finding_info.related_events.product_uid |
security_result.detection_fields[finding_info_related_events_product_uid] |
|
finding_info.related_events.uid |
security_result.detection_fields [finding_info_related_events_uid] |
|
finding_info.src_url |
security_result.url_back_to_product |
|
finding_info.title |
security_result.summary |
|
finding_info.types |
security_result.detection_fields [finding_info_types] |
|
finding_info.uid |
security_result.detection_fields [finding_info_uid] |
|
firewall_rule.category |
security_result.rule_labels [firewall_rule_category] |
|
firewall_rule.desc |
security_result.rule_labels [firewall_rule_description] |
|
firewall_rule.name |
security_result.rule_name |
|
firewall_rule.type |
security_result.rule_type |
|
firewall_rule.uid |
security_result.rule_id |
|
firewall_rule.version |
security_result.rule_version |
|
malware.classification_ids |
security_result.detection_fields [malware.classification_ids] |
|
malware.classifications |
security_result.detection_fields [malware.classifications] |
|
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
|
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.path |
security_result.detection_fields [malware_path] |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.labels |
additional.fields [metadata_labels] |
|
metadata.log_name |
additional.fields [metadata_log_name] |
|
metadata.log_provider |
additional.fields [metadata_log_provider] |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.modified_time |
additional.fields [metadata_modified_time] |
|
metadata.original_time |
additional.fields [metadata_original_time] |
|
metadata.product.feature.name |
additional.fields [metadata_product_feature_name] |
|
metadata.product.feature.uid |
additional.fields [metadata_product_feature_uid] |
|
metadata.product.lang |
additional.fields [metadata_product_lang] |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.profiles |
additional.fields [metadata_profiles] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.uid |
metadata.product_log_id |
|
metadata.version |
additional.fields [metadata_version] |
|
observables.value |
observer.file.names |
|
observables.value |
observer.file.vhash |
|
observables.value |
observer.hostname |
|
observables.value |
observer.ip |
|
observables.value |
observer.mac |
|
observables.value |
observer.process.file.names |
|
observables.value |
observer.resource.product_object_id |
|
observables.value |
observer.url |
|
observables.value |
observer.user.email_addresses |
|
observables.value |
observer.user.userid |
|
raw_data |
additional.fields [raw_data] |
|
remediation.desc |
security_result.outcomes [remediation_desc] |
|
remediation.kb_articles |
security_result.outcomes [remediation_kb_articles] |
|
risk_level |
security_result.detection_fields [risk_level] |
|
risk_level_id |
security_result.detection_fields [risk_level_id] |
|
risk_score |
security_result.risk_score |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
|
status |
security_result.detection_fields [status] |
|
status_code |
security_result.detection_fields [status_code] |
|
time |
metadata.event_timestamp |
|
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
vulnerabilities.affected_code.file.created_time |
extensions.vulns.vulnerabilities.about.file.first_seen_time |
|
vulnerabilities.affected_code.file.creator.email_addr |
extensions.vulns.vulnerabilities.about.user.email_addresses |
|
vulnerabilities.affected_code.file.creator.full_name |
extensions.vulns.vulnerabilities.about.user.user_display_name |
|
vulnerabilities.affected_code.file.creator.groups.uid |
extensions.vulns.vulnerabilities.about.user.group_identifiers |
|
vulnerabilities.affected_code.file.creator.name |
extensions.vulns.vulnerabilities.about.user.first_name |
|
vulnerabilities.affected_code.file.creator.org.name |
extensions.vulns.vulnerabilities.about.user.company_name |
|
vulnerabilities.affected_code.file.creator.uid |
extensions.vulns.vulnerabilities.about.user.userid |
|
vulnerabilities.affected_code.file.mime_type |
extensions.vulns.vulnerabilities.about.file.mime_type |
|
vulnerabilities.affected_code.file.modified_time |
extensions.vulns.vulnerabilities.about.file.last_modification_time |
|
vulnerabilities.affected_code.file.name |
extensions.vulns.vulnerabilities.about.file.names |
|
vulnerabilities.affected_code.file.path |
extensions.vulns.vulnerabilities.about.file.full_path |
|
vulnerabilities.affected_code.file.signature.algorithm |
extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.algorithm |
|
vulnerabilities.affected_code.file.signature.certificate.issuer |
extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.cert_issuer |
|
vulnerabilities.affected_code.file.signature.certificate.serial_number |
extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.serial_number |
|
vulnerabilities.affected_code.file.size |
extensions.vulns.vulnerabilities.about.file.size |
|
vulnerabilities.cve.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
vulnerabilities.cve.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
vulnerabilities.cve.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
vulnerabilities.cve.modified_time |
additional.fields [vuln_cve_modified_time] |
|
vulnerabilities.cve.product.name |
extensions.vulns.vulnerabilities.about.application |
|
vulnerabilities.cve.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
vulnerabilities.cve.type |
extensions.vulns.vulnerabilities.description |
%{vulnerabilities.cve.type} - %{vulnerabilities.desc} log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
vulnerabilities.desc |
extensions.vulns.vulnerabilities.description |
%{vulnerabilities.cve.type} - %{vulnerabilities.desc} log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
vulnerabilities.cve.uid |
extensions.vulns.vulnerabilities.cve_id |
|
vulnerabilities.first_seen_time |
extensions.vulns.vulnerabilities.first_found |
|
vulnerabilities.kb_articles |
additional.fields [vuln_kb_articles] |
|
vulnerabilities.last_seen_time |
extensions.vulns.vulnerabilities.last_found |
|
vulnerabilities.packages.architecture |
additional.fields [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
additional.fields [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
additional.fields [vuln_packages_name] |
|
vulnerabilities.packages.release |
additional.fields [vuln_packages_release] |
|
vulnerabilities.packages.version |
additional.fields [vuln_packages_version] |
|
vulnerabilities.references |
additional.fields [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
additional.fields [vuln_related_vulnerabilities] |
|
vulnerabilities.severity |
extensions.vulns.vulnerabilities.severity |
|
vulnerabilities.title |
extensions.vulns.vulnerabilities.name |
|
vulnerabilities.vendor_name |
extensions.vulns.vulnerabilities.vendor |
Field mapping reference: OCSF Incident Finding
The following table lists the log fields for theIncident Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If class_name log field value is equal to Incident Finding then, the metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
api.response.code |
network.http.response_code |
|
api.response.error |
additional.fields[res_error] |
|
api.response.error_message |
additional.fields[res_error_message] |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
assignee.account.name |
principal.resource.name |
|
assignee.account.type |
principal.resource.resource_subtype |
|
assignee.account.uid |
principal.resource.product_object_id |
|
assignee.domain |
principal.administrative_domain |
|
assignee.email_addr |
principal.user.email_addresses |
|
assignee.full_name |
principal.user.user_display_name |
|
assignee.groups.name |
principal.group.group_display_name |
|
assignee.groups.privileges |
principal.group.attribute.permissions.name |
|
assignee.groups.uid |
principal.user.group_identifiers |
|
assignee.ldap_person.created_time |
principal.user.attribute.creation_time |
|
assignee.ldap_person.deleted_time |
principal.user.attribute.labels[ldap_person_deleted_time] |
|
assignee.ldap_person.email_addrs |
principal.user.email_addresses |
|
assignee.ldap_person.location.city |
principal.location.city |
|
assignee.ldap_person.location.region |
principal.location.country_or_region |
|
assignee.name |
principal.user.userid |
|
assignee.org.name |
principal.user.company_name |
|
assignee.org.ou_name |
principal.user.department |
|
assignee.type_id |
principal.user.attribute.roles.name |
If the assignee.type_id log field value is not empty and if the assignee.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if assignee.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if assignee.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if assignee.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
assignee.uid |
principal.user.product_object_id |
|
attacks.sub_technique.name |
security_result.attack_details.technique.subtechnique_name |
|
attacks.sub_technique.uid |
security_result.attack_details.technique.subtechnique_id |
|
attacks.tactic.name |
security_result.attack_details.tactics.name |
|
attacks.tactic.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
class_uid |
additional.fields[class_uid] |
|
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if coud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if coud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
confidence |
security_result.confidence |
If confidence log field value matches the regular expression pattern Low then, the security_result.confidence UDM field is set to LOW_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern Medium then, the security_result.confidence UDM field is set to MEDIUM_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern High then, the security_result.confidence UDM field is set to HIGH_CONFIDENCE. Else, the security_result.confidence UDM field is set to UNKNOWN_CONFIDENCE. |
confidence_id |
security_result.detection_fields[confidence_id] |
|
confidence_score |
security_result.confidence_details |
|
count |
security_result.detection_fields[count] |
|
desc |
security_result.description |
|
duration |
security_result.detection_fields[duration] |
|
end_time |
security_result.detection_fields[end_time] |
|
enrichments.name |
security_result.detection_fields[enrichments_name] |
|
enrichments.provider |
security_result.detection_fields[enrichments_provider] |
|
enrichments.type |
security_result.detection_fields[enrichments_type] |
|
enrichments.value |
security_result.detection_fields[enrichments_value] |
|
finding_info_list.analytic.desc |
security_result.detection_fields[finding_info_analytic_desc] |
|
finding_info_list.analytic.name |
security_result.analytics_metadata.analytic |
|
finding_info_list.analytic.related_analytics.category |
security_result.detection_fields[finding_info_analytic_related_analytics_category] |
|
finding_info_list.analytic.related_analytics.desc |
security_result.detection_fields[finding_info_analytic_related_analytics_desc] |
|
finding_info_list.analytic.related_analytics.name |
security_result.detection_fields[finding_info_analytic_related_analytics_name] |
|
finding_info_list.analytic.related_analytics.type |
security_result.detection_fields[finding_info_analytic_related_analytics_type] |
|
finding_info_list.analytic.related_analytics.type_id |
security_result.detection_fields[finding_info_analytic_related_analytics_type_id] |
|
finding_info_list.analytic.related_analytics.uid |
security_result.detection_fields[finding_info_analytic_related_analytics_uid] |
|
finding_info_list.analytic.type |
security_result.detection_fields[finding_info_analytic_type] |
|
finding_info_list.analytic.type_id |
security_result.detection_fields[finding_info_analytic_type_id] |
|
finding_info_list.attacks.sub_technique.name |
security_result.attack_details.technique.subtechnique_name |
|
finding_info_list.attacks.sub_technique.uid |
security_result.attack_details.technique.subtechnique_id |
|
finding_info_list.attacks.tactic.name |
security_result.attack_details.tactics.name |
|
finding_info_list.attacks.tactic.uid |
security_result.attack_details.tactics.id |
|
finding_info_list.attacks.technique.name |
security_result.attack_details.technique.name |
|
finding_info_list.attacks.technique.uid |
security_result.attack_details.technique.id |
|
finding_info_list.attacks.version |
security_result.attack_details.version |
|
finding_info_list.created_time |
security_result.detection_fields[finding_info_created_time] |
|
finding_info_list.data_sources |
security_result.detection_fields[finding_info_data_sources] |
|
finding_info_list.desc |
security_result.description |
If the desc log field value is empty then, finding_info_list.desc log field is mapped to the security_result.description UDM field. |
finding_info_list.first_seen_time |
security_result.first_discovered_time |
|
finding_info_list.last_seen_time |
security_result.detection_fields[finding_info_last_seen_time] |
|
finding_info_list.modified_time |
security_result.detection_fields[finding_info_modified_time] |
|
finding_info_list.product_uid |
principal.asset_id |
|
finding_info_list.related_events.product_uid |
security_result.detection_fields[finding_info_related_events_product_uid] |
|
finding_info_list.related_events.uid |
security_result.detection_fields[finding_info_related_events_uid] |
|
finding_info_list.src_url |
security_result.url_back_to_product |
|
finding_info_list.title |
security_result.summary |
|
finding_info_list.types |
security_result.detection_fields[finding_info_types] |
|
finding_info_list.uid |
security_result.detection_fields[finding_info_uid] |
|
impact |
security_result.detection_fields[impact] |
|
impact_id |
security_result.detection_fields[impact_id] |
|
impact_score |
security_result.detection_fields[impact_score] |
|
message |
metadata.description |
|
metadata.labels |
additional.fields[metadata_labels] |
|
metadata.log_name |
additional.fields[metadata_log_name] |
|
metadata.log_provider |
additional.fields[metadata_log_provider] |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.modified_time |
additional.fields[metadata_modified_time] |
|
metadata.original_time |
additional.fields[metadata_original_time] |
|
metadata.product.feature.name |
additional.fields[metadata_product_feature_name] |
|
metadata.product.feature.uid |
additional.fields[metadata_product_feature_uid] |
|
metadata.product.lang |
additional.fields[metadata_product_lang] |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.profiles |
additional.fields[metadata_profiles] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.uid |
metadata.product_log_id |
|
metadata.version |
additional.fields[metadata_version] |
|
observables.value |
observer.hostname |
Iterate through log field observables.type_id, thenif o observables.type_id log field value is equal to 1 and if observer.hostname log field value is empty then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 and if observer.user.userid log field value is empty then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 and if observer.url log field value is empty then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 and if observer.file.vhash log field value is empty then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 and if observer.resource.product_object_id log field value is empty then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
|
observables.value |
observer.mac |
|
observables.value |
observer.user.userid |
|
observables.value |
observer.user.email_addresses |
|
observables.value |
observer.url |
|
observables.value |
observer.file.names |
|
observables.value |
observer.file.vhash |
|
observables.value |
observer.process.file.names |
|
observables.value |
observer.resource.product_object_id |
|
priority |
security_result.priority_details |
|
raw_data |
additional.fields[raw_data] |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
start_time |
additional.fields[start_time] |
|
status |
security_result.detection_fields[status] |
|
status_code |
security_result.detection_fields[status_code] |
|
status_detail |
security_result.detection_fields[status_detail] |
|
status_id |
security_result.detection_fields[status_id] |
|
time |
metadata.event_timestamp |
|
type_name |
security_result.detection_fields[type_name] |
|
type_uid |
security_result.detection_fields[type_uid] |
|
verdict |
security_result.detection_fields[verdict] |
|
verdict_id |
security_result.detection_fields[verdict_id] |
Field mapping reference: OCSF Vulnerability Finding
The following table lists the log fields for theVulnerability Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If class_name log field value is equal to Vulnerability Finding then, the metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.mime_type |
principal.process.file.file.mime_type |
|
actor.process.file.modified_time |
principal.process.file.file.last_modification_time |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.signature.algorithm |
principal.process.file.signature_info.sigcheck.x509.algorithm |
|
actor.process.file.signature.certificate.issuer |
principal.process.file.signature_info.sigcheck.x509.cert_issuer |
|
actor.process.file.signature.certificate.serial_number |
principal.process.file.signature_info.sigcheck.x509.serial_number |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
actor.process.user.domain |
principal.administrative_domain |
If actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If aactor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If aactor.user.type_id log field value is empty and if type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.session.uid |
network.session_id |
|
actor.user.domain |
principal.administrative_domain |
|
actor.user.email_addr |
principal.user.email_addresses |
|
actor.user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.user.name |
principal.user.userid |
|
actor.user.org.name |
principal.user.company_name |
|
actor.user.org.ou_name |
principal.user.department |
|
actor.user.type_id |
principal.user.attribute.roles.name |
If type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
|
api.response.code |
network.http.response_code |
|
api.response.error |
additional.fields[res_error] |
|
api.response.error_message |
additional.fields[res_error_message] |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
category_name |
security_result.category_details |
|
category_uid |
security_result.category_details |
|
class_name |
metadata.log_type |
|
class_uid |
additional.fields[class_uid] |
|
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
|
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
confidence |
security_result.confidence |
|
confidence_id |
security_result.detection_fields[confidence_id] |
|
confidence_score |
security_result.confidence_details |
|
count |
security_result.detection_fields[count] |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
|
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
|
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
|
device.uid |
principal.asset.product_object_id |
|
duration |
security_result.detection_fields[duration] |
|
end_time |
security_result.detection_fields[end_time] |
|
enrichments.name |
security_result.detection_fields[enrichments_name] |
|
enrichments.provider |
security_result.detection_fields[enrichments_provider] |
|
enrichments.type |
security_result.detection_fields[enrichments_type] |
|
enrichments.value |
security_result.detection_fields[enrichments_value] |
|
finding_info.analytic.desc |
security_result.detection_fields[finding_info_analytic_desc] |
|
finding_info.analytic.name |
security_result.analytics_metadata.analytic |
|
finding_info.analytic.related_analytics.category |
security_result.detection_fields[finding_info_analytic_related_analytics_category] |
|
finding_info.analytic.related_analytics.desc |
security_result.detection_fields[finding_info_analytic_related_analytics_desc] |
|
finding_info.analytic.related_analytics.name |
security_result.detection_fields[finding_info_analytic_related_analytics_name] |
|
finding_info.analytic.related_analytics.type |
security_result.detection_fields[finding_info_analytic_related_analytics_type] |
|
finding_info.analytic.related_analytics.type_id |
security_result.detection_fields[finding_info_analytic_related_analytics_typeId] |
|
finding_info.analytic.related_analytics.uid |
security_result.detection_fields[finding_info_analytic_related_analytics_uid] |
|
finding_info.analytic.type |
security_result.detection_fields[finding_info_analytic_type] |
|
finding_info.analytic.type_id |
security_result.detection_fields[finding_info_analytic_typeId] |
|
finding_info.attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
|
finding_info.attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
|
finding_info.attacks.tactic.name |
security_result.attack_details.tactics.name |
|
finding_info.attacks.tactic.uid |
security_result.attack_details.tactics.id |
|
finding_info.attacks.technique.name |
security_result.attack_details.techniques.name |
|
finding_info.attacks.technique.uid |
security_result.attack_details.techniques.id |
|
finding_info.attacks.version |
security_result.attack_details.version |
|
finding_info.created_time |
security_result.detection_fields[finding_info_created_time] |
|
finding_info.data_sources |
security_result.detection_fields[finding_info_data_sources] |
|
finding_info.desc |
security_result.description |
|
finding_info.first_seen_time |
security_result.first_discovered_time |
|
finding_info.last_seen_time |
security_result.detection_fields[finding_info_last_seen_time] |
|
finding_info.modified_time |
security_result.detection_fields[finding_info_modified_time] |
|
finding_info.product_uid |
principal.asset_id |
|
finding_info.related_events.product_uid |
security_result.detection_fields[finding_info_related_events_product_uid] |
|
finding_info.related_events.uid |
security_result.detection_fields[finding_info_related_events_uid] |
|
finding_info.src_url |
security_result.url_back_to_product |
|
finding_info.title |
security_result.summary |
|
finding_info.types |
security_result.detection_fields[finding_info_types] |
|
finding_info.uid |
security_result.detection_fields[finding_info_uid] |
|
message |
metadata.description |
|
metadata.labels |
additional.fields[metadata_labels] |
|
metadata.log_name |
additional.fields[metadata_log_name] |
|
metadata.log_provider |
additional.fields[metadata_log_provider] |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.modified_time |
additional.fields[metadata_modified_time] |
|
metadata.original_time |
additional.fields[metadata_original_time] |
|
metadata.product.feature.name |
additional.fields[metadata_product_feature_name] |
|
metadata.product.feature.uid |
additional.fields[metadata_product_feature_uid] |
|
metadata.product.lang |
additional.fields[metadata_product_lang] |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.profiles |
additional.fields[metadata_profiles] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.uid |
metadata.product_log_id |
|
metadata.version |
additional.fields[metadata_version] |
|
observables.value |
observer.ip |
Iterate through log field observables.type_id, thenif o observables.type_id log field value is equal to 1 and if observer.hostname log field value is empty then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 and if observer.user.userid log field value is empty then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 and if observer.url log field value is empty then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 and if observer.file.vhash log field value is empty then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 and if observer.resource.product_object_id log field value is empty then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
|
observables.value |
observer.user.userid |
|
observables.value |
observer.user.email_addresses |
|
observables.value |
observer.url |
|
observables.value |
observer.file.names |
|
observables.value |
observer.file.vhash |
|
observables.value |
observer.process.file.names |
|
observables.value |
observer.resource.product_object_id |
|
raw_data |
additional.fields[raw_data] |
|
resource.group.name |
target.group.group_display_name |
|
resource.group.privileges |
target.group.attribute.permissions.name |
|
resource.group.uid |
target.group.product_object_id |
|
resource.name |
target.resource.name |
|
resource.region |
target.location.country_or_region |
|
resource.type |
target.resource.resource_subtype |
|
resource.uid |
target.resource.product_object_id |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
|
start_time |
additional.fields[start_time] |
|
status |
security_result.detection_fields[status] |
|
status_code |
security_result.detection_fields[status_code] |
|
status_detail |
security_result.detection_fields[status_detail] |
|
status_id |
security_result.detection_fields[status_id] |
|
time |
metadata.event_timestamp |
|
type_name |
security_result.detection_fields[type_name] |
|
type_uid |
security_result.detection_fields[type_uid] |
|
vulnerabilities.affected_code.file.created_time |
extensions.vulns.vulnerabilities.about.file.first_seen_time |
|
vulnerabilities.affected_code.file.creator.email_addr |
extensions.vulns.vulnerabilities.about.user.email_addresses |
|
vulnerabilities.affected_code.file.creator.full_name |
extensions.vulns.vulnerabilities.about.user.user_display_name |
|
vulnerabilities.affected_code.file.creator.groups.uid |
extensions.vulns.vulnerabilities.about.user.group_identifiers |
|
vulnerabilities.affected_code.file.creator.name |
extensions.vulns.vulnerabilities.about.user.first_name |
|
vulnerabilities.affected_code.file.creator.org.name |
extensions.vulns.vulnerabilities.about.user.company_name |
|
vulnerabilities.affected_code.file.creator.uid |
extensions.vulns.vulnerabilities.about.user.userid |
|
vulnerabilities.affected_code.file.mime_type |
extensions.vulns.vulnerabilities.about.file.mime_type |
|
vulnerabilities.affected_code.file.modified_time |
extensions.vulns.vulnerabilities.about.file.last_modification_time |
|
vulnerabilities.affected_code.file.name |
extensions.vulns.vulnerabilities.about.file.names |
|
vulnerabilities.affected_code.file.path |
extensions.vulns.vulnerabilities.about.file.full_path |
|
vulnerabilities.affected_code.file.signature.algorithm |
extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.algorithm |
|
vulnerabilities.affected_code.file.signature.certificate.issuer |
extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.cert_issuer |
|
vulnerabilities.affected_code.file.signature.certificate.serial_number |
extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.serial_number |
|
vulnerabilities.affected_code.file.size |
extensions.vulns.vulnerabilities.about.file.size |
|
vulnerabilities.cve.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
vulnerabilities.cve.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
vulnerabilities.cve.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
vulnerabilities.cve.modified_time |
additional.fields[vuln_cve_modified_time] |
|
vulnerabilities.cve.product.name |
extensions.vulns.vulnerabilities.about.application |
|
vulnerabilities.cve.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
vulnerabilities.cve.type |
extensions.vulns.vulnerabilities.description |
%{vulnerabilities.cve.type} - %{vulnerabilities.desc} log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
vulnerabilities.desc |
extensions.vulns.vulnerabilities.description |
%{vulnerabilities.cve.type} - %{vulnerabilities.desc} log field is mapped to the extensions.vulns.vulnerabilities.description UDM field. |
vulnerabilities.cve.uid |
extensions.vulns.vulnerabilities.cve_id |
|
vulnerabilities.first_seen_time |
extensions.vulns.vulnerabilities.first_found |
|
vulnerabilities.kb_articles |
additional.fields[vuln_kb_articles] |
|
vulnerabilities.last_seen_time |
extensions.vulns.vulnerabilities.last_found |
|
vulnerabilities.packages.architecture |
additional.fields[vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
additional.fields[vuln_packages_epoch] |
|
vulnerabilities.packages.name |
additional.fields[vuln_packages_name] |
|
vulnerabilities.packages.release |
additional.fields[vuln_packages_release] |
|
vulnerabilities.packages.version |
additional.fields[vuln_packages_version] |
|
vulnerabilities.references |
additional.fields[vuln_references] |
|
vulnerabilities.related_vulnerabilities |
additional.fields[vuln_related_vulnerabilities] |
|
vulnerabilities.remediation.desc |
security_result.outcomes[vuln_remediation_desc] |
|
vulnerabilities.remediation.kb_articles |
security_result.outcomes[vuln_remediation_kb_articles] |
|
vulnerabilities.severity |
extensions.vulns.vulnerabilities.severity |
|
vulnerabilities.title |
extensions.vulns.vulnerabilities.name |
|
vulnerabilities.vendor_name |
extensions.vulns.vulnerabilities.vendor |
Field mapping reference: OCSF Process Activity
The following table lists the log fields for theProcess Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Process Activity and if the activity_id log field value is equal to 1 then, the metadata.event_type UDM field is set to PROCESS_LAUNCH. Else, if the activity_id log field value is equal to 2 then, the metadata.event_type UDM field is set to PROCESS_TERMINATION. Else, if the activity_id log field value is equal to 3 then, the metadata.event_type UDM field is set to PROCESS_OPEN. Else, if the activity_id log field value is equal to 4 then, the metadata.event_type UDM field is set to PROCESS_INJECTION. Else, the metadata.event_type UDM field is set to PROCESS_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the actor.process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates |
principal.asset.location.region_coordinates.longitude/latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
|
device.uid |
principal.asset.product_object_id |
|
disposition |
security_result.action_details |
|
disposition_id |
security_result.action |
If the class_name log field value is equal to Process Activity and if the disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 3 then, the security_result.action UDM field is set to QUARANTINE. |
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application' |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
module.file.accessed_time |
target.process.file.last_seen_time |
|
module.file.created_time |
target.process.file.first_seen_time |
|
module.file.mime_type |
target.process.file.mime_type |
|
module.file.modified_time |
target.process.file.last_modification_time |
|
module.file.name |
target.process.file.names |
|
module.file.path |
target.process.file.full_path |
|
module.file.signature.certificate.issuer |
target.process.file.signature_info.x509.cert_issuer |
|
module.file.signature.certificate.serial_number |
target.process.file.signature_info.x509.serial_number |
|
module.file.signature.developer_uid |
target.process.file.signature_info.sigcheck.signers.name |
|
module.file.size |
target.process.file.size |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
process.parent_process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
process.parent_process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
process.parent_process.user.full_name |
principal.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
process.parent_process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
process.parent_process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
process.parent_process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
process.parent_process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
process.parent_process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
process.parent_process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
process.parent_process.user.type_id |
principal.user.attribute.roles.name |
If the process.user.type_id log field value is empty and if the process.parent_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.parent_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.parent_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.parent_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
process.parent_process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
process.user.full_name |
principal.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
process.user.type_id |
principal.user.attribute.roles.name |
If the actor.process.user.type_id log field value is empty and if the process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
requested_permissions |
principal.process.access_mask |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
time |
metadata.event_timestamp |
|
vulnerabilities.cve.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
vulnerabilities.cve.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
vulnerabilities.cve.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
vulnerabilities.cve.modified_time |
extensions.vulns.vulnerabilities.about.labels [vuln_cve_modified_time] |
|
vulnerabilities.kb_articles |
extensions.vulns.vulnerabilities.about.labels [vuln_kb_articles] |
|
vulnerabilities.packages.architecture |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_name] |
|
vulnerabilities.packages.release |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_release] |
|
vulnerabilities.packages.version |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_version] |
|
vulnerabilities.references |
extensions.vulns.vulnerabilities.about.labels [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
extensions.vulns.vulnerabilities.about.labels [vuln_related_vulnerabilities] |
|
vulnerabilities.cve.modified_time |
additional.fields [vuln_cve_modified_time] |
|
vulnerabilities.kb_articles |
additional.fields [vuln_kb_articles] |
|
vulnerabilities.packages.architecture |
additional.fields [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
additional.fields [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
additional.fields [vuln_packages_name] |
|
vulnerabilities.packages.release |
additional.fields [vuln_packages_release] |
|
vulnerabilities.packages.version |
additional.fields [vuln_packages_version] |
|
vulnerabilities.references |
additional.fields [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
additional.fields [vuln_related_vulnerabilities] |
|
vulnerabilities.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
status |
security_result.detection_fields [status] |
|
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
status_id |
security_result.detection_fields [status_id] |
|
actor.session.uid |
network.session_id |
If the actor.session.uid log field value is not equal to actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.session.uid log field value is not equal to process.session.uid log field is mapped to the network.session_id UDM field. |
actor.user.account_type |
principal.user.attribute.labels[actor_user_account_type] |
|
actor.user.account_type_id |
principal.user.attribute.labels[actor_user_account_type_id] |
|
device.os.name |
principal.asset.attribute.labels[device_os_name] |
|
device.os.type |
principal.asset.attribute.labels[device_os_type] |
|
device.type |
principal.asset.attribute.labels[device_type] |
|
actor.process.file.parent_folder |
principal.labels[actor_process_file_parent_folder] |
|
actor.process.file.type |
principal.labels[actor_process_file_type] |
|
actor.process.file.type_id |
principal.labels[actor_process_file_type_id] |
|
metadata.original_time |
about.labels[metadata_original_time] |
|
metadata.product.feature.name |
about.labels [metadata_product_feature_name] |
|
metadata.profiles |
about.labels [metadata_profiles] |
|
metadata.uid |
about.labels [metadata_uid] |
|
metadata.version |
about.labels [metadata_version] |
|
process.file.parent_folder |
principal.labels[process_file_parent_folder] |
|
process.file.type |
principal.labels[process_file_type] |
|
process.file.type_id |
principal.labels[process_file_type_id] |
|
exit_code |
about.labels [exit_code] |
|
class_uid |
about.labels [class_uid] |
|
actor.process.file.parent_folder |
additional.fields [actor_process_file_parent_folder] |
|
actor.process.file.type |
additional.fields [actor_process_file_type] |
|
actor.process.file.type_id |
additional.fields [actor_process_file_type_id] |
|
metadata.original_time |
additional.fields [metadata_original_time] |
|
metadata.product.feature.name |
additional.fields [metadata_product_feature_name] |
|
metadata.profiles |
additional.fields [metadata_profiles] |
|
metadata.uid |
additional.fields [metadata_uid] |
|
metadata.version |
additional.fields [metadata_version] |
|
process.file.parent_folder |
additional.fields [process_file_parent_folder] |
|
process.file.type |
additional.fields [process_file_type] |
|
process.file.type_id |
additional.fields [process_file_type_id] |
|
exit_code |
additional.fields [exit_code] |
|
class_uid |
additional.fields [class_uid] |
|
process.session.uid |
network.session_id |
If the actor.session.uid log field value is not equal to actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.session.uid log field value is not equal to process.session.uid log field is mapped to the network.session_id UDM field. |
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. Else, if actor.process.user.ldap_person.cost_center log field value then, actor.process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.process.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. Else, if actor.process.user.ldap_person.cost_center log field value then, actor.process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. Else, if actor.process.user.ldap_person.created_time log field value then, actor.process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.process.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. Else, if actor.process.user.ldap_person.created_time log field value then, actor.process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. Else, if actor.process.user.ldap_person.deleted_time log field value then, actor.process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.process.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. Else, if actor.process.user.ldap_person.deleted_time log field value then, actor.process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.ldap_person.email_addrs log field value then, actor.process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.ldap_person.email_addrs log field value then, actor.process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then, Else, if actor.process.user.ldap_person.employee_uid log field value then,. |
actor.process.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then, Else, if actor.process.user.ldap_person.employee_uid log field value then,. |
actor.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. Else, if actor.process.user.ldap_person.location log field value then, actor.process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.process.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. Else, if actor.process.user.ldap_person.location log field value then, actor.process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.process.user.ldap_person.given_name log field value then, actor.process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.process.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.process.user.ldap_person.given_name log field value then, actor.process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.process.user.ldap_person.hire_time log field value then, actor.process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.process.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.process.user.ldap_person.hire_time log field value then, actor.process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.process.user.ldap_person.job_title log field value then, actor.process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.process.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.process.user.ldap_person.job_title log field value then, actor.process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. Else, if actor.process.user.ldap_person.ldap_cn log field value then, actor.process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.process.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. Else, if actor.process.user.ldap_person.ldap_cn log field value then, actor.process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. Else, if actor.process.user.ldap_person.ldap_dn log field value then, actor.process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.process.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. Else, if actor.process.user.ldap_person.ldap_dn log field value then, actor.process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. Else, if actor.process.user.ldap_person.labels log field value then, actor.process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.process.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. Else, if actor.process.user.ldap_person.labels log field value then, actor.process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.process.user.ldap_person.last_login_time log field value then, actor.process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.process.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.process.user.ldap_person.last_login_time log field value then, actor.process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. Else, if actor.process.user.ldap_person.leave_time log field value then, actor.process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.process.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. Else, if actor.process.user.ldap_person.leave_time log field value then, actor.process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. Else, if actor.process.user.ldap_person.modified_time log field value then, actor.process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.process.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. Else, if actor.process.user.ldap_person.modified_time log field value then, actor.process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.process.user.ldap_person.office_location log field value then, actor.process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.process.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.process.user.ldap_person.office_location log field value then, actor.process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.process.user.ldap_person.surname log field value then, actor.process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.process.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.process.user.ldap_person.surname log field value then, actor.process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field.Else, if actor.process.user.ldap_person.manager.cost_center log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.process.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field.Else, if actor.process.user.ldap_person.manager.cost_center log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field.Else, if actor.process.user.ldap_person.manager.created_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.process.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field.Else, if actor.process.user.ldap_person.manager.created_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field.Else, if actor.process.user.ldap_person.manager.deleted_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.process.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field.Else, if actor.process.user.ldap_person.manager.deleted_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field.Else, if actor.process.user.ldap_person.manager.email_addrs log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.process.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field.Else, if actor.process.user.ldap_person.manager.email_addrs log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field.Else, if actor.process.user.ldap_person.manager.employee_uid log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.process.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field.Else, if actor.process.user.ldap_person.manager.employee_uid log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field.Else, if actor.process.user.ldap_person.manager.location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.process.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field.Else, if actor.process.user.ldap_person.manager.location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field.Else, if actor.process.user.ldap_person.manager.given_name log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.process.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field.Else, if actor.process.user.ldap_person.manager.given_name log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field.Else, if actor.process.user.ldap_person.manager.hire_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.process.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field.Else, if actor.process.user.ldap_person.manager.hire_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field.Else, if actor.process.user.ldap_person.manager.job_title log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.process.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field.Else, if actor.process.user.ldap_person.manager.job_title log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.process.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.process.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field.Else, if actor.process.user.ldap_person.manager.labels log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.process.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field.Else, if actor.process.user.ldap_person.manager.labels log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.process.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field.Else, if actor.process.user.ldap_person.manager.leave_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.process.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field.Else, if actor.process.user.ldap_person.manager.leave_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field.Else, if actor.process.user.ldap_person.manager.modified_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then %{actor.process.user.ldap_person.manager.modified_time} log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.process.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field.Else, if actor.process.user.ldap_person.manager.modified_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then %{actor.process.user.ldap_person.manager.modified_time} log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.process.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field.Else, if actor.process.user.ldap_person.manager.surname log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.process.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field.Else, if actor.process.user.ldap_person.manager.surname log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.process.user.ldap_person.groups.domain log field value then,iterate through log field actor.user.ldap_person.groups, then actor.process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.process.user.ldap_person.groups.domain log field value then,iterate through log field actor.user.ldap_person.groups, then actor.process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
additional.fields[actor.session.uid_alt] |
additional.fields[actor_session_uid_alt] |
|
additional.fields[actor.session.count] |
additional.fields[actor_session_count] |
|
additional.fields[actor.session.expiration_reason] |
additional.fields[actor_session_expiration_reason] |
|
additional.fields[actor.session.is_mfa] |
additional.fields[actor_session_is_mfa] |
|
additional.fields[actor.session.terminal] |
additional.fields[actor_session_terminal] |
|
additional.fields[actor.session.is_vpn] |
additional.fields[actor_session_is_vpn] |
|
device.zone |
principal.asset.attribute.labels[device_zone] |
|
device.groups.domain |
principal.asset.attribute.labels[device_groups_domain] |
Iterate through log field device.groups.domain, then device.groups.domain log field is mapped to the principal.asset.attribute.labels[device_domain] UDM field. |
device.os.cpe_name |
principal.asset.attribute.labels[device_os_cpe_name] |
|
process.file.signature.certificate.uid |
additional.fields[file_signature_certificate_uid] |
|
process.file.product.cpe_name |
additional.fields[file_product_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
additional.fields[metadata_product_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
Field mapping reference: OCSF Http Activity
The following table lists the log fields for theHttp Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.session.uid |
network.session_id |
|
actor.user.domain |
principal.administrative_domain |
|
actor.user.email_addr |
principal.user.email_addresses |
|
actor.user.full_name |
principal.user.user_display_name |
|
actor.user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.user.name |
principal.user.userid |
|
actor.user.org.name |
principal.user.company_name |
|
actor.user.org.ou_name |
principal.user.department |
|
actor.user.type_id |
principal.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
|
api.response.code |
network.http.response_code |
If the http_response.code log field value is empty and the http_status log field value is empty then, api.response.code log field is mapped to the network.http.response_code UDM field. |
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
connection_info.direction_id |
network.direction |
If the connection_info.direction_id log field value is equal to 1 then, the network.direction UDM field is set to INBOUND. Else, if connection_info.direction_id log field value is equal to 2 then, the network.direction UDM field is set to OUTBOUND. Else, the network.direction UDM field is set to UNKNOWN_DIRECTION. |
connection_info.protocol_num |
network.ip_protocol |
If the connection_info.protocol_num log field value is equal to 1 then, the network.ip_protocol UDM field is set to ICMP. Else, if connection_info.protocol_num log field value is equal to 2 then, the network.ip_protocol UDM field is set to IGMP. Else, if connection_info.protocol_num log field value is equal to 6 then, the network.ip_protocol UDM field is set to TCP. Else, if connection_info.protocol_num log field value is equal to 17 then, the network.ip_protocol UDM field is set to UDP. Else, if connection_info.protocol_num log field value is equal to 41 then, the network.ip_protocol UDM field is set to IP6IN4. Else, if connection_info.protocol_num log field value is equal to 47 then, the network.ip_protocol UDM field is set to GRE. Else, if connection_info.protocol_num log field value is equal to 50 then, the network.ip_protocol UDM field is set to ESP. Else, if connection_info.protocol_num log field value is equal to 58 then, the network.ip_protocol UDM field is set to ICMP6. Else, if connection_info.protocol_num log field value is equal to 88 then, the network.ip_protocol UDM field is set to EIGRP. Else, if connection_info.protocol_num log field value is equal to 97 then, the network.ip_protocol UDM field is set to ETHERIP. Else, if connection_info.protocol_num log field value is equal to 103 then, the network.ip_protocol UDM field is set to PIM. Else, if connection_info.protocol_num log field value is equal to 112 then, the network.ip_protocol UDM field is set to VRRP. Else, if connection_info.protocol_num log field value is equal to 132 then, the network.ip_protocol UDM field is set to SCTP. Else, the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL. |
connection_info.protocol_ver_id |
network.application_protocol_version |
If the connection_info.protocol_ver_id log field value is equal to 4 then, the network.application_protocol_version UDM field is set to Internet Protocol version 4 (IPv4). Else, if connection_info.protocol_ver_id log field value is equal to 6 then, the network.application_protocol_version UDM field is set to Internet Protocol version 6 (IPv6). |
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
device.uid |
principal.asset.product_object_id |
|
disposition |
security_result.action_details |
|
disposition_id |
security_result.action |
If the disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 4 then, the security_result.action UDM field is set to QUARANTINE. Else, the security_result.action UDM field is set to UNKNOWN_ACTION. |
dst_endpoint.domain |
target.domain.name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
|
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
dst_endpoint.svc_name |
target.application |
|
dst_endpoint.uid |
target.asset_id |
|
http_request.http_method |
network.http.method |
|
http_request.referrer |
network.http.referral_url |
|
http_request.user_agent |
network.http.user_agent |
|
http_response.code |
network.http.response_code |
|
http_status |
network.http.response_code |
If the http_response.code log field value is empty then, http_status log field is mapped to the network.http.response_code UDM field. |
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application' |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.logged_time |
metadata.collected_timestamp |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
proxy.domain |
intermediary.domain.name |
|
proxy.hostname |
intermediary.hostname |
|
proxy.intermediate_ips |
intermediary.ip |
|
proxy.ip |
intermediary.ip |
|
proxy.location.city |
intermediary.location.city |
|
proxy.location.coordinates.0 |
intermediary.location.region_coordinates.longitude |
|
proxy.location.coordinates.1 |
intermediary.location.region_coordinates.latitude |
|
proxy.location.country |
intermediary.location.country_or_region |
|
proxy.location.region |
intermediary.location.name |
|
proxy.mac |
intermediary.mac |
|
proxy.port |
intermediary.port |
|
proxy.svc_name |
intermediary.application |
|
proxy.uid |
intermediary.asset_id |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
|
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
time |
metadata.event_timestamp |
|
tls.certificate.created_time |
network.tls.client.certificate.not_before |
|
tls.certificate.expiration_time |
network.tls.client.certificate.not_after |
|
tls.certificate.issuer |
network.tls.client.certificate.issuer |
|
tls.certificate.serial_number |
network.tls.client.certificate.serial |
|
tls.certificate.subject |
network.tls.client.certificate.subject |
|
tls.certificate.version |
network.tls.client.certificate.version |
|
tls.cipher |
network.tls.cipher |
|
tls.client_ciphers |
network.tls.client.supported_ciphers |
|
tls.ja3_hash.value |
network.tls.client.ja3 |
|
tls.ja3s_hash.value |
network.tls.client.ja3s |
|
tls.sni |
network.tls.client.server_name |
|
tls.version |
network.tls.version_protocol |
|
traffic.bytes_in |
network.received_bytes |
|
traffic.bytes_out |
network.sent_bytes |
|
traffic.packets_in |
network.received_packets |
|
traffic.packets_out |
network.sent_packets |
|
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
http_request.length |
additional.fields[http_request_length] |
|
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
tls.certificate.uid |
additional.fields[tls_certificate_uid] |
|
traffic.chunks |
additional.fields[traffic_chunks] |
|
traffic.chunks_in |
additional.fields[traffic_chunks_in] |
|
traffic.chunks_out |
additional.fields[traffic_chunks_out] |
|
http_cookies.domain |
security_result.detection_fields[http_cookies_domain] |
Iterate through log field http_cookies, then http_cookies.domain log field is mapped to the security_result.detection_fields[http_cookies_domain] UDM field. |
http_cookies.expiration_time |
security_result.detection_fields[http_cookies_expiration_time] |
Iterate through log field http_cookies, then http_cookies.expiration_time log field is mapped to the security_result.detection_fields[http_cookies_expiration_time] UDM field. |
http_cookies.is_http_only |
security_result.detection_fields[http_cookies_is_http_only] |
Iterate through log field http_cookies, then http_cookies.is_http_only log field is mapped to the security_result.detection_fields[http_cookies_is_http_only] UDM field. |
http_cookies.name |
security_result.detection_fields[http_cookies_name] |
Iterate through log field http_cookies, then http_cookies.name log field is mapped to the security_result.detection_fields[http_cookies_name] UDM field. |
http_cookies.path |
security_result.detection_fields[http_cookies_path] |
Iterate through log field http_cookies, then http_cookies.path log field is mapped to the security_result.detection_fields[http_cookies_path] UDM field. |
http_cookies.samesite |
security_result.detection_fields[http_cookies_samesite] |
Iterate through log field http_cookies, then http_cookies.samesite log field is mapped to the security_result.detection_fields[http_cookies_samesite] UDM field. |
http_cookies.is_secure |
security_result.detection_fields[http_cookies_is_secure] |
Iterate through log field http_cookies, then http_cookies.is_secure log field is mapped to the security_result.detection_fields[http_cookies_is_secure] UDM field. |
http_cookies.value |
security_result.detection_fields[http_cookies_value] |
Iterate through log field http_cookies, then http_cookies.value log field is mapped to the security_result.detection_fields[http_cookies_value] UDM field. |
http_response.http_headers.name |
security_results.detection_fields[http_response_http_headers_name] |
Iterate through log field http_response.http_headers, then http_response.http_headers.name log field is mapped to the security_results.detection_fields[http_response_http_headers_name] UDM field. |
http_response.http_headers.value |
security_results.detection_fields[http_response_http_headers_value] |
Iterate through log field http_response.http_headers, then http_response.http_headers.value log field is mapped to the security_results.detection_fields[http_response_http_headers_value] UDM field. |
Field mapping reference: OCSF Network Activity
The following table lists the log fields for theNetwork Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.s service.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
activity_id |
metadata.event_type |
If the class_name log field value is equal to Network Activity then, the metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the actor.process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
connection_info.direction_id |
network.direction |
If the connection_info.direction_id log field value is equal to 1 then, the network.direction UDM field is set to INBOUND. Else, if connection_info.direction_id log field value is equal to 2 then, the network.direction UDM field is set to OUTBOUND. Else, the network.direction UDM field is set to UNKNOWN_DIRECTION. |
connection_info.protocol_num |
network.ip_protocol |
If the connection_info.protocol_num log field value is equal to 1 then, the network.ip_protocol UDM field is set to ICMP. Else, if connection_info.protocol_num log field value is equal to 2 then, the network.ip_protocol UDM field is set to IGMP. Else, if connection_info.protocol_num log field value is equal to 6 then, the network.ip_protocol UDM field is set to TCP. Else, if connection_info.protocol_num log field value is equal to 17 then, the network.ip_protocol UDM field is set to UDP. Else, if connection_info.protocol_num log field value is equal to 41 then, the network.ip_protocol UDM field is set to IP6IN4. Else, if connection_info.protocol_num log field value is equal to 47 then, the network.ip_protocol UDM field is set to GRE. Else, if connection_info.protocol_num log field value is equal to 50 then, the network.ip_protocol UDM field is set to ESP. Else, if connection_info.protocol_num log field value is equal to 58 then, the network.ip_protocol UDM field is set to ICMP6. Else, if connection_info.protocol_num log field value is equal to 88 then, the network.ip_protocol UDM field is set to EIGRP. Else, if connection_info.protocol_num log field value is equal to 97 then, the network.ip_protocol UDM field is set to ETHERIP. Else, if connection_info.protocol_num log field value is equal to 103 then, the network.ip_protocol UDM field is set to PIM. Else, if connection_info.protocol_num log field value is equal to 112 then, the network.ip_protocol UDM field is set to VRRP. Else, if connection_info.protocol_num log field value is equal to 132 then, the network.ip_protocol UDM field is set to SCTP. Else, the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL. |
connection_info.protocol_ver_id |
network.application_protocol_version |
If the connection_info.protocol_ver_id log field value is equal to 4 then, the network.application_protocol_version UDM field is set to Internet Protocol version 4 (IPv4). Else, if connection_info.protocol_ver_id log field value is equal to 6 then, the network.application_protocol_version UDM field is set to Internet Protocol version 6 (IPv6). |
dst_endpoint.svc_name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.s service.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.domain |
target.domain.name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.location.coordinates |
target.location.region_coordinates.longitude/latitude |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
dst_endpoint.uid |
target.asset_id |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates |
principal.asset.location.region_coordinates.longitude/latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
|
device.uid |
principal.asset.product_object_id |
|
disposition |
security_result.action_details |
|
disposition_id |
security_result.action |
If the class_name log field value contain one of the following values
disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 3 then, the security_result.action UDM field is set to QUARANTINE. |
time |
metadata.event_timestamp |
|
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application' |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
proxy.svc_name |
intermediary.application |
|
proxy.domain |
intermediary.domain.name |
|
proxy.hostname |
intermediary.hostname |
|
proxy.ip |
intermediary.ip |
|
proxy.location.city |
intermediary.location.city |
|
proxy.location.country |
intermediary.location.country_or_region |
|
proxy.location.region |
intermediary.location.name |
|
proxy.location.coordinates |
intermediary.location.region_coordinates.longitude/latitude |
|
proxy.mac |
intermediary.mac |
|
proxy.port |
intermediary.port |
|
proxy.uid |
intermediary.asset_id |
|
proxy.intermediate_ips |
intermediary.ip |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates |
principal.location.region_coordinates.longitude/latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
tls.cipher |
network.tls.cipher |
|
tls.certificate.issuer |
network.tls.client.certificate.issuer |
|
tls.certificate.expiration_time |
network.tls.client.certificate.not_after |
|
tls.certificate.created_time |
network.tls.client.certificate.not_before |
|
tls.certificate.serial_number |
network.tls.client.certificate.serial |
|
tls.certificate.subject |
network.tls.client.certificate.subject |
|
tls.certificate.version |
network.tls.client.certificate.version |
|
tls.ja3_hash.value |
network.tls.client.ja3 |
|
tls.ja3s_hash.value |
network.tls.client.ja3s |
|
tls.sni |
network.tls.client.server_name |
|
tls.client_ciphers |
network.tls.client.supported_ciphers |
|
tls.version |
network.tls.version_protocol |
|
traffic.bytes_out |
network.received_bytes |
|
traffic.packets_out |
network.received_packets |
|
traffic.bytes_in |
network.sent_bytes |
|
traffic.packets_in |
network.sent_packets |
|
file.accessed_time |
target.file.last_seen_time |
|
file.created_time |
target.file.first_seen_time |
|
file.mime_type |
target.file.mime_type |
|
file.modified_time |
target.file.last_modification_time |
|
file.name |
target.file.names |
|
file.path |
target.file.full_path |
|
file.size |
target.file.size |
|
cloud.account_uid |
about.resource.attribute.labels [cloud_account_uid] |
|
class_uid |
about.labels [class_uid] |
|
connection_info.boundary |
about.labels [connection_info_boundary] |
|
connection_info.boundary_id |
about.labels [connection_info_boundary_id] |
|
connection_info.protocol_ver |
about.labels [connection_info_protocol_ver] |
|
connection_info.tcp_flags |
about.labels [connection_info_tcp_flags] |
|
dst_endpoint.instance_uid |
target.labels [dst_endpoint_instance_uid] |
|
dst_endpoint.interface_uid |
target.labels [dst_endpoint_interface_uid] |
|
dst_endpoint.subnet_uid |
target.labels [dst_endpoint_subnet_uid] |
|
dst_endpoint.vpc_uid |
target.labels [dst_endpoint_vpc_uid] |
|
end_time |
about.labels [end_time] |
|
metadata.product.feature.name |
about.labels [metadata_product_feature_name] |
|
metadata.profiles |
about.labels [metadata_profiles] |
|
metadata.version |
about.labels [metadata_version] |
|
traffic.bytes |
about.labels [traffic_bytes] |
|
traffic.packets |
about.labels [traffic_packets] |
|
start_time |
about.labels [start_time] |
|
class_uid |
additional.fields [class_uid] |
|
connection_info.boundary |
additional.fields [connection_info_boundary] |
|
connection_info.boundary_id |
additional.fields [connection_info_boundary_id] |
|
connection_info.protocol_ver |
additional.fields [connection_info_protocol_ver] |
|
connection_info.tcp_flags |
additional.fields [connection_info_tcp_flags] |
|
dst_endpoint.instance_uid |
additional.fields [dst_endpoint_instance_uid] |
|
dst_endpoint.interface_uid |
additional.fields [dst_endpoint_interface_uid] |
|
dst_endpoint.subnet_uid |
additional.fields [dst_endpoint_subnet_uid] |
|
dst_endpoint.vpc_uid |
additional.fields [dst_endpoint_vpc_uid] |
|
end_time |
additional.fields [end_time] |
|
metadata.product.feature.name |
additional.fields [metadata_product_feature_name] |
|
metadata.profiles |
additional.fields [metadata_profiles] |
|
metadata.version |
additional.fields [metadata_version] |
|
traffic.bytes |
additional.fields [traffic_bytes] |
|
traffic.packets |
additional.fields [traffic_packets] |
|
start_time |
additional.fields [start_time] |
|
url.query_string |
about.security_result.detection_fields[url_query_string] |
|
url.path |
about.security_result.detection_fields[url_path] |
|
url.scheme |
about.security_result.detection_fields[url_scheme] |
|
url.category_ids |
about.security_result.detection_fields[url_category_ids] |
Iterate through log field url.category_ids, then url.category_ids log field is mapped to the about.security_result.detection_fields[url_category_ids] UDM field. |
url.hostname |
about.hostname |
|
url.port |
about.port |
|
url.resource_type |
about.resource.resource_subtype |
|
url.subdomain |
about.administrative_domain |
|
url.url_string |
about.url |
|
url.categories |
about.url_metadata.categories |
Iterate through log field url.categories, then url.categories log field is mapped to the about.url_metadata.categories UDM field. |
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
tls.certificate.uid |
additional.fields[tls_certificate_uid] |
|
traffic.chunks |
additional.fields[traffic_chunks] |
|
traffic.chunks_in |
additional.fields[traffic_chunks_in] |
|
traffic.chunks_out |
additional.fields[traffic_chunks_out] |
Field mapping reference: OCSF Network File Activity
The following table lists the log fields for theNetwork File Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Network File Activity and if the activity_id log field value is equal to 4 then, the metadata.event_type UDM field is set to FILE_DELETION. Else, if activity_id log field value is equal to 3 then, the metadata.event_type UDM field is set to FILE_MODIFICATION. Else, if activity_id log field value is equal to 14 then, the metadata.event_type UDM field is set to FILE_OPEN. Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the actor.process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
file.accessed_time |
target.file.last_seen_time |
|
file.created_time |
target.file.first_seen_time |
|
file.mime_type |
target.file.mime_type |
|
file.modified_time |
target.file.last_modification_time |
|
file.name |
target.file.names |
|
file.path |
target.file.full_path |
|
file.size |
target.file.size |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates |
principal.location.region_coordinates.longitude/latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
time |
metadata.event_timestamp |
Field mapping reference: OCSF File Hosting Activity
The following table lists the log fields for theFile Hosting Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Network File Activity and if the activity_id log field value is equal to 4 then, the metadata.event_type UDM field is set to FILE_DELETION. Else, if activity_id log field value is equal to 3 then, the metadata.event_type UDM field is set to FILE_MODIFICATION. Else, if activity_id log field value is equal to 14 then, the metadata.event_type UDM field is set to FILE_OPEN. Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the actor.process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
file.accessed_time |
target.file.last_seen_time |
|
file.created_time |
target.file.first_seen_time |
|
file.mime_type |
target.file.mime_type |
|
file.modified_time |
target.file.last_modification_time |
|
file.name |
target.file.names |
|
file.path |
target.file.full_path |
|
file.size |
target.file.size |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates |
principal.location.region_coordinates.longitude/latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
time |
metadata.event_timestamp |
|
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then,. |
actor.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_manager_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_manager_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
Field mapping reference: OCSF API Activity
The following table lists the log fields for theAPI Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
actor.idp.name |
about.user.user_display_name |
|
actor.idp.uid |
about.user.userid |
|
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
dst_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.intermediate_ips |
intermediary.ip |
Iterate through log field src_endpoint.intermediate_ips, then src_endpoint.intermediate_ips log field is mapped to the intermediary.ip UDM field. |
metadata.logged_time |
metadata.collected_timestamp |
|
message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. Else, message log field is mapped to the metadata.description UDM field. |
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. Else, message log field is mapped to the metadata.description UDM field. |
time |
metadata.event_timestamp |
|
activity_id |
metadata.event_type |
If the class_name log field value is equal to API Activity and if the activity_id log field value is equal to 1 then, the metadata.event_type UDM field is set to RESOURCE_CREATION. Else, if activity_id log field value is equal to 2 then, the metadata.event_type UDM field is set to RESOURCE_READ. Else, if activity_id log field value is equal to 3 then, the metadata.event_type UDM field is set to RESOURCE_WRITTEN. Else, if activity_id log field value is equal to 4 then, the metadata.event_type UDM field is set to RESOURCE_DELETION. Else, the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
class_name |
metadata.log_type |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
metadata.uid |
metadata.product_log_id |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
http_request.version |
network.application_protocol_version |
|
http_request.http_method |
network.http.method |
|
http_request.referrer |
network.http.referral_url |
|
api.response.code |
network.http.response_code |
|
http_request.user_agent |
network.http.user_agent |
|
actor.session.uid |
network.session_id |
If the class_name log field value contain one of the following values
session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. Else, actor.session.uid log field is mapped to the network.session_id UDM field.If the class_name log field value contain one of the following values
actor.session.uid log field value is empty then, actor.session.uuid log field is mapped to the network.session_id UDM field. Else, actor.process.session.uid log field is mapped to the network.session_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
|
actor.user.domain |
principal.administrative_domain |
If the class_name log field value is equal to API Activity and if the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
src_endpoint.svc_name |
principal.application |
If the class_name log field value contain one of the following values
src_endpoint.svc_name log field is mapped to the principal.application UDM field. |
src_endpoint.uid |
principal.asset_id |
If the class_name log field value contain one of the following values
ASSET ID: %{src_endpoint.uid} log field is mapped to the principal.asset_id UDM field. |
src_endpoint.domain |
principal.domain.name |
If the class_name log field value contain one of the following values
src_endpoint.domain log field is mapped to the principal.domain.name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.name |
principal.group.group_display_name |
Iterate through log field actor.user.groups.array.name, thenif the index value is equal to 0 then, actor.user.groups.array.name log field is mapped to the principal.group.group_display_name UDM field.Iterate through log field actor.process.user.groups.array.name, thenif the index value is equal to 0 then, actor.process.user.groups.array.name log field is mapped to the principal.group.group_display_name UDM field. |
src_endpoint.hostname |
principal.hostname |
If the class_name log field value contain one of the following values
src_endpoint.hostname log field is mapped to the principal.hostname UDM field. |
http_request.x_forwarded_for |
principal.ip |
|
src_endpoint.ip |
principal.ip |
If the class_name log field value contain one of the following values
src_endpoint.ip log field is mapped to the principal.ip UDM field. |
src_endpoint.location.city |
principal.location.city |
If the class_name log field value contain one of the following values
src_endpoint.location.city log field is mapped to the principal.location.city UDM field. |
src_endpoint.location.country |
principal.location.country_or_region |
If the class_name log field value contain one of the following values
src_endpoint.location.country log field is mapped to the principal.location.country_or_region UDM field. |
src_endpoint.location.region |
principal.location.name |
If the class_name log field value contain one of the following values
src_endpoint.location.region log field is mapped to the principal.location.name UDM field. |
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
If the class_name log field value contain one of the following values
src_endpoint.location.coordinates.1 log field is mapped to the principal.location.region_coordinates.latitude UDM field. |
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
If the class_name log field value contain one of the following values
src_endpoint.location.coordinates.0 log field is mapped to the principal.location.region_coordinates.longitude UDM field. |
src_endpoint.mac |
principal.mac |
If the class_name log field value contain one of the following values
src_endpoint.mac log field is mapped to the principal.mac UDM field. |
src_endpoint.port |
principal.port |
If the class_name log field value contain one of the following values
src_endpoint.port log field is mapped to the principal.port UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.hashes.value |
principal.process.file.md5 |
If the actor.process.file.hashes.algorithm_id log field value is equal to 1 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.md5 UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.hashes.value |
principal.process.file.sha1 |
If the actor.process.file.hashes.algorithm_id log field value is equal to 2 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.sha1 UDM field. |
actor.process.file.hashes.value |
principal.process.file.sha256 |
If the actor.process.file.hashes.algorithm_id log field value is equal to 3 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.sha256 UDM field. |
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, principal.process.product_specific_process_id => PRODUCT_SPECIFIC_PROCESS_ID: %actor.process.parent_process.uid. |
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, principal.process.product_specific_process_id => PRODUCT_SPECIFIC_PROCESS_ID: %actor.process.uid. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.org.name |
principal.user.company_name |
|
actor.user.org.name |
principal.user.company_name |
If the actor.user.or log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
|
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
|
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
|
actor.user.groups.uid |
principal.user.group_identifiers |
Iterate through log field actor.user.groups.array.uid, then actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field.Iterate through log field actor.process.user.groups.uid, then actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.uid |
principal.user.product_object_id |
Else, if the user.uid log field value is not empty then, principal.user.product_object_id => %actor.user.uid else, if the actor.process.user.uid log field value is not empty then, principal.user.product_object_id => %actor.process.user.uid. |
actor.process.user.full_name |
principal.user.user_display_name |
|
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.name |
principal.user.userid |
|
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
status_id |
security_result.action |
If the status_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if status_id log field value is equal to 2 then, the security_result.action UDM field is set to FAIL. |
status |
security_result.action_details |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
enrichments.name |
security_result.detection_fields [enrichments_name] |
Iterate through log field enrichments.name, then enrichments.name log field is mapped to the security_result.detection_fields [enrichments_name] UDM field. |
enrichments.provider |
security_result.detection_fields [enrichments_provider] |
Iterate through log field enrichments.provider, then enrichments.provider log field is mapped to the security_result.detection_fields [enrichments_provider] UDM field. |
enrichments.type |
security_result.detection_fields [enrichments_type] |
Iterate through log field enrichments.type, then enrichments.type log field is mapped to the security_result.detection_fields [enrichments_type] UDM field. |
enrichments.value |
security_result.detection_fields [enrichments_value] |
Iterate through log field enrichments.value, then enrichments.value log field is mapped to the security_result.detection_fields [enrichments_value] UDM field. |
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
actor.process.file.security_descriptor |
security_result.detection_fields[actor_process_file_security_descriptor] |
|
http_request.url.categories [] |
security_result.detection_fields[url_categories] |
Iterate through log field http_request.url.categories, then http_request.url.categories log field is mapped to the security_result.detection_fields[url_categories] UDM field. |
status_detail |
security_result.detection_fields [status_detail] |
|
status_code |
security_result.detection_fields [status_code] |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
dst_endpoint.svc_name |
target.application |
If the class_name log field value contain one of the following values
class_name log field value is equal to Authentication and if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. Else, if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
api.service.name |
target.application |
If the class_name log field value contain one of the following values
class_name log field value is equal to Authentication and if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. Else, if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.uid |
target.asset_id |
If the class_name log field value contain one of the following values
ASSET ID: %{dst_endpoint.uid} log field is mapped to the target.asset_id UDM field. |
dst_endpoint.domain |
target.domain.name |
If the class_name log field value contain one of the following values
dst_endpoint.domain log field is mapped to the target.domain.name UDM field. |
dst_endpoint.hostname |
target.hostname |
If the class_name log field value contain one of the following values
dst_endpoint.hostname log field is mapped to the target.hostname UDM field. |
http_request.url.hostname |
target.hostname |
|
dst_endpoint.ip |
target.ip |
If the class_name log field value contain one of the following values
dst_endpoint.ip log field is mapped to the target.ip UDM field. |
dst_endpoint.location.city |
target.location.city |
If the class_name log field value contain one of the following values
dst_endpoint.location.city log field is mapped to the target.location.city UDM field. |
dst_endpoint.location.region |
target.location.name |
If the class_name log field value contain one of the following values
dst_endpoint.location.region log field is mapped to the target.location.name UDM field. |
dst_endpoint.location.country |
target.location.country_or_region |
If the class_name log field value contain one of the following values
dst_endpoint.location.country log field is mapped to the target.location.country_or_region UDM field. |
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
If the class_name log field value contain one of the following values
dst_endpoint.location.coordinates.1 log field is mapped to the target.location.region_coordinates.latitude UDM field. |
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
If the class_name log field value contain one of the following values
dst_endpoint.location.coordinates.0 log field is mapped to the target.location.region_coordinates.longitude UDM field. |
dst_endpoint.mac |
target.mac |
If the class_name log field value contain one of the following values
dst_endpoint.mac log field is mapped to the target.mac UDM field. |
dst_endpoint.port |
target.port |
If the class_name log field value contain one of the following values
dst_endpoint.port log field is mapped to the target.port UDM field. |
http_request.url.port |
target.port |
|
resources.name |
target.resource.name |
Iterate through log field resources.name, thenif the index value is equal to 0 then, resources.name log field is mapped to the target.resource.name UDM field. |
resources.uid |
target.resource.product_object_id |
Iterate through log field resources.uid, thenif the index value is equal to 0 then, resources.uid log field is mapped to the target.resource.product_object_id UDM field. |
resources.type |
target.resource.resource_subtype |
Iterate through log field resources.type, thenif the index value is equal to 0 then, resources.type log field is mapped to the target.resource.resource_subtype UDM field. |
http_request.url.url_string |
target.url |
|
class_uid |
security_result.detection_fields [class_uid] |
|
actor.process.session.uid_alt |
additional.fields[actor_process_session_uid_alt] |
|
actor.process.session.count |
additional.fields[actor_process_session_count] |
|
actor.process.session.expiration_reason |
additional.fields[actor_process_session_expiration_reason] |
|
actor.process.session.is_mfa |
additional.fields[actor_process_session_is_mfa] |
|
actor.process.session.terminal |
additional.fields[actor_process_session_terminal] |
|
actor.process.session.is_vpn |
additional.fields[actor_process_session_is_vpn] |
|
actor.session.uid_alt |
additional.fields[actor_session_uid_alt] |
|
actor.session.count |
additional.fields[actor_session_count] |
|
actor.session.expiration_reason |
additional.fields[actor_session_expiration_reason] |
|
actor.session.is_mfa |
additional.fields[actor_session_is_mfa] |
|
actor.session.terminal |
additional.fields[actor_session_terminal] |
|
actor.session.is_vpn |
additional.fields[actor_session_is_vpn] |
|
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. Else, if actor.process.user.ldap_person.cost_center log field value then, actor.process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.process.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. Else, if actor.process.user.ldap_person.cost_center log field value then, actor.process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. Else, if actor.process.user.ldap_person.created_time log field value then, actor.process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.process.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. Else, if actor.process.user.ldap_person.created_time log field value then, actor.process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. Else, if actor.process.user.ldap_person.deleted_time log field value then, actor.process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.process.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. Else, if actor.process.user.ldap_person.deleted_time log field value then, actor.process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.ldap_person.email_addrs log field value then, actor.process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.ldap_person.email_addrs log field value then, actor.process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then, Else, if actor.process.user.ldap_person.employee_uid log field value then,. |
actor.process.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then, Else, if actor.process.user.ldap_person.employee_uid log field value then,. |
actor.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. Else, if actor.process.user.ldap_person.location log field value then, actor.process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.process.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. Else, if actor.process.user.ldap_person.location log field value then, actor.process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.process.user.ldap_person.given_name log field value then, actor.process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.process.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.process.user.ldap_person.given_name log field value then, actor.process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.process.user.ldap_person.hire_time log field value then, actor.process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.process.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.process.user.ldap_person.hire_time log field value then, actor.process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.process.user.ldap_person.job_title log field value then, actor.process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.process.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.process.user.ldap_person.job_title log field value then, actor.process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. Else, if actor.process.user.ldap_person.ldap_cn log field value then, actor.process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.process.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. Else, if actor.process.user.ldap_person.ldap_cn log field value then, actor.process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. Else, if actor.process.user.ldap_person.ldap_dn log field value then, actor.process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.process.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. Else, if actor.process.user.ldap_person.ldap_dn log field value then, actor.process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. Else, if actor.process.user.ldap_person.labels log field value then, actor.process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.process.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. Else, if actor.process.user.ldap_person.labels log field value then, actor.process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.process.user.ldap_person.last_login_time log field value then, actor.process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.process.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.process.user.ldap_person.last_login_time log field value then, actor.process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. Else, if actor.process.user.ldap_person.leave_time log field value then, actor.process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.process.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. Else, if actor.process.user.ldap_person.leave_time log field value then, actor.process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. Else, if actor.process.user.ldap_person.modified_time log field value then, actor.process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.process.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. Else, if actor.process.user.ldap_person.modified_time log field value then, actor.process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.process.user.ldap_person.office_location log field value then, actor.process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.process.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.process.user.ldap_person.office_location log field value then, actor.process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.process.user.ldap_person.surname log field value then, actor.process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.process.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.process.user.ldap_person.surname log field value then, actor.process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field.Else, if actor.process.user.ldap_person.manager.cost_center log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.process.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field.Else, if actor.process.user.ldap_person.manager.cost_center log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field.Else, if actor.process.user.ldap_person.manager.created_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.process.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field.Else, if actor.process.user.ldap_person.manager.created_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field.Else, if actor.process.user.ldap_person.manager.deleted_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.process.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field.Else, if actor.process.user.ldap_person.manager.deleted_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field.Else, if actor.process.user.ldap_person.manager.email_addrs log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.process.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field.Else, if actor.process.user.ldap_person.manager.email_addrs log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field.Else, if actor.process.user.ldap_person.manager.employee_uid log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.process.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field.Else, if actor.process.user.ldap_person.manager.employee_uid log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field.Else, if actor.process.user.ldap_person.manager.location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.process.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field.Else, if actor.process.user.ldap_person.manager.location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field.Else, if actor.process.user.ldap_person.manager.given_name log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.process.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field.Else, if actor.process.user.ldap_person.manager.given_name log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field.Else, if actor.process.user.ldap_person.manager.hire_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.process.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field.Else, if actor.process.user.ldap_person.manager.hire_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field.Else, if actor.process.user.ldap_person.manager.job_title log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.process.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field.Else, if actor.process.user.ldap_person.manager.job_title log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.process.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.process.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field.Else, if actor.process.user.ldap_person.manager.labels log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.process.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field.Else, if actor.process.user.ldap_person.manager.labels log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.process.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field.Else, if actor.process.user.ldap_person.manager.leave_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.process.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field.Else, if actor.process.user.ldap_person.manager.leave_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field.Else, if actor.process.user.ldap_person.manager.modified_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then %{actor.process.user.ldap_person.manager.modified_time} log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.process.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field.Else, if actor.process.user.ldap_person.manager.modified_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then %{actor.process.user.ldap_person.manager.modified_time} log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.process.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field.Else, if actor.process.user.ldap_person.manager.surname log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.process.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field.Else, if actor.process.user.ldap_person.manager.surname log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.process.user.ldap_person.groups.domain log field value then,iterate through log field actor.user.ldap_person.groups, then actor.process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.process.user.ldap_person.groups.domain log field value then,iterate through log field actor.user.ldap_person.groups, then actor.process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
http_request.length |
additional.fields[http_request_length] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
api.response.data |
additional.fields[api_response_data] |
|
api.response.containers.name |
about.resource.name |
Iterate through log field api.response.containers, then api.response.containers.name log field is mapped to the about.resource.name UDM field. |
api.response.containers.uid |
about.resource.product_object_id |
Iterate through log field api.response.containers, then api.response.containers.uid log field is mapped to the about.resource.product_object_id UDM field. |
api.response.containers.hash.algorithm |
about.resource.attribute.labels[api_response_containers_hash_algorithm] |
Iterate through log field api.response.containers, then api.response.containers.hash.algorithm log field is mapped to the about.resource.attribute.labels[api_response_containers_hash_algorithm] UDM field. |
api.response.containers.hash.algorithm_id |
about.resource.attribute.labels[api_response_containers_hash_algorithm_id] |
Iterate through log field api.response.containers, then api.response.containers.hash.algorithm_id log field is mapped to the about.resource.attribute.labels[api_response_containers_hash_algorithm_id] UDM field. |
api.response.containers.hash.value |
about.resource.attribute.labels[api_response_containers_hash_value] |
Iterate through log field api.response.containers, then api.response.containers.hash.value log field is mapped to the about.resource.attribute.labels[api_response_containers_hash_value] UDM field. |
api.response.containers.image.tag |
about.resource.attribute.labels[api_response_containers_image_tag] |
Iterate through log field api.response.containers, then api.response.containers.image.tag log field is mapped to the about.resource.attribute.labels[api_response_containers_image_tag] UDM field. |
api.response.containers.image.labels |
about.resource.attribute.labels[api_response_containers_image_labels] |
Iterate through log field api.response.containers, then api.response.containers.image.labels log field is mapped to the about.resource.attribute.labels[api_response_containers_image_labels] UDM field. |
api.response.containers.image.name |
about.resource.attribute.labels[api_response_containers_image_name] |
Iterate through log field api.response.containers, then api.response.containers.image.name log field is mapped to the about.resource.attribute.labels[api_response_containers_image_name] UDM field. |
api.response.containers.image.path |
about.resource.attribute.labels[api_response_containers_image_path] |
Iterate through log field api.response.containers, then api.response.containers.image.path log field is mapped to the about.resource.attribute.labels[api_response_containers_image_path] UDM field. |
api.response.containers.image.uid |
about.resource.attribute.labels[api_response_containers_image_uid] |
Iterate through log field api.response.containers, then api.response.containers.image.uid log field is mapped to the about.resource.attribute.labels[api_response_containers_image_uid] UDM field. |
api.response.containers.tag |
about.resource.attribute.labels[api_response_containers_tag] |
Iterate through log field api.response.containers, then api.response.containers.tag log field is mapped to the about.resource.attribute.labels[api_response_containers_tag] UDM field. |
api.response.containers.network_driver |
about.resource.attribute.labels[api_response_containers_network_driver] |
Iterate through log field api.response.containers, then api.response.containers.network_driver log field is mapped to the about.resource.attribute.labels[api_response_containers_network_driver] UDM field. |
api.response.containers.orchestrator |
about.resource.attribute.labels[api_response_containers_orchestrator] |
Iterate through log field api.response.containers, then api.response.containers.orchestrator log field is mapped to the about.resource.attribute.labels[api_response_containers_orchestrator] UDM field. |
api.response.containers.pod_uuid |
about.resource.attribute.labels[api_response_containers_pod_uuid] |
Iterate through log field api.response.containers, then api.response.containers.pod_uuid log field is mapped to the about.resource.attribute.labels[api_response_containers_pod_uuid] UDM field. |
api.response.containers.runtime |
about.resource.attribute.labels[api_response_containers_runtime] |
Iterate through log field api.response.containers, then api.response.containers.runtime log field is mapped to the about.resource.attribute.labels[api_response_containers_runtime] UDM field. |
api.response.containers.size |
about.resource.attribute.labels[api_response_containers_size] |
Iterate through log field api.response.containers, then api.response.containers.size log field is mapped to the about.resource.attribute.labels[api_response_containers_size] UDM field. |
resources.namespace |
target.resource.attribute.labels[resources_namespace] |
Iterate through log field resources, then resources.namespace log field is mapped to the target.resource.attribute.labels[resources_namespace] UDM field. |
Field mapping reference: OCSF DNS Activity
The following table lists the log fields for theDNS Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
metadata.logged_time |
metadata.collected_timestamp |
|
message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. Else, message log field is mapped to the metadata.description UDM field. |
time |
metadata.event_timestamp |
|
activity_id |
metadata.event_type |
If the class_name log field value is equal to DNS Activity then, the metadata.event_type UDM field is set to NETWORK_DNS. |
class_name |
metadata.log_type |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
metadata.uid |
metadata.product_log_id |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
|
network.application_protocol |
If the class_name log field value is equal to DNS Activity then, the network.application_protocol UDM field is set to DNS. |
connection_info.protocol_ver_id |
network.application_protocol_version |
If the connection_info.protocol_ver_id log field value is equal to 4 then, the network.application_protocol_version UDM field is set to Internet Protocol version 4 (IPv4). Else, if the connection_info.protocol_ver_id log field value is equal to 6 then, the network.application_protocol_version UDM field is set to Internet Protocol version 6 (IPv6). |
connection_info.direction_id |
network.direction |
If the connection_info.direction_id log field value is equal to 1 then, the network.direction UDM field is set to INBOUND. Else, if connection_info.direction_id log field value is equal to 2 then, the network.direction UDM field is set to OUTBOUND. |
answers.class |
network.dns.answers.class |
Iterate through log field answers.class, thenif the answers.class log field value is equal to IN then, Else, if answers.class log field value is equal to CS then, Else, if answers.class log field value is equal to CH then, Else, if answers.class log field value is equal to HS then,. |
answers.rdata |
network.dns.answers.data |
Iterate through log field answers.rdata, then answers.rdata log field is mapped to the network.dns.answers.data UDM field. |
answers.ttl |
network.dns.answers.ttl |
Iterate through log field answers.ttl, then answers.ttl log field is mapped to the network.dns.answers.ttl UDM field. |
answers.type |
network.dns.answers.type |
|
answers.flag_ids |
network.dns.authoritative |
Iterate through log field answers.flag_ids, thenif the answers.flag_ids log field value is equal to 1 then, the network.dns.authoritative UDM field is set to true. |
answers.flag_ids |
network.dns.recursion_available |
Iterate through log field answers.flag_ids, thenif the answers.flag_ids log field value is equal to 4 then, the network.dns.recursion_available UDM field is set to true. |
answers.flag_ids |
network.dns.recursion_desired |
Iterate through log field answers.flag_id, thenif the answers.flag_ids log field value is equal to 3 then, the network.dns.recursion_desired UDM field is set to true. |
answers.flag_ids |
network.dns.truncated |
Iterate through log field answers.flag_ids, thenif the answers.flag_ids log field value is equal to 2 then, the network.dns.truncated UDM field is set to true. |
query.opcode_id |
network.dns.opcode |
|
query.class |
network.dns.questions.class |
If the query.class log field value is equal to IN then, Else, if query.class log field value is equal to CS then, Else, if query.class log field value is equal to CH then, Else, if query.class log field value is equal to HS then,. |
query.hostname |
network.dns.questions.name |
|
query.type |
network.dns.questions.type |
|
rcode_id |
network.dns.response_code |
|
connection_info.protocol_num |
network.ip_protocol |
If the connection_info.protocol_num log field value is equal to 1 then, the network.ip_protocol UDM field is set to ICMP. Else, if connection_info.protocol_num log field value is equal to 2 then, the network.ip_protocol UDM field is set to IGMP. Else, if connection_info.protocol_num log field value is equal to 6 then, the network.ip_protocol UDM field is set to TCP. Else, if connection_info.protocol_num log field value is equal to 17 then, the network.ip_protocol UDM field is set to UDP. Else, if connection_info.protocol_num log field value is equal to 41 then, the network.ip_protocol UDM field is set to IP6IN4. Else, if connection_info.protocol_num log field value is equal to 47 then, the network.ip_protocol UDM field is set to GRE. Else, if connection_info.protocol_num log field value is equal to 50 then, the network.ip_protocol UDM field is set to ESP. Else, if connection_info.protocol_num log field value is equal to 58 then, the network.ip_protocol UDM field is set to ICMP6. Else, if connection_info.protocol_num log field value is equal to 88 then, the network.ip_protocol UDM field is set to EIGRP. Else, if connection_info.protocol_num log field value is equal to 97 then, the network.ip_protocol UDM field is set to ETHERIP. Else, if connection_info.protocol_num log field value is equal to 103 then, the network.ip_protocol UDM field is set to PIM. Else, if connection_info.protocol_num log field value is equal to 112 then, the network.ip_protocol UDM field is set to VRRP. Else, if connection_info.protocol_num log field value is equal to 132 then, the network.ip_protocol UDM field is set to SCTP. |
traffic.bytes_in |
network.received_bytes |
|
traffic.packets_in |
network.received_packets |
|
traffic.bytes_out |
network.sent_bytes |
|
traffic.packets_out |
network.sent_packets |
|
tls.cipher |
network.tls.cipher |
|
tls.certificate.issuer |
network.tls.client.certificate.issuer |
|
tls.certificate.expiration_time |
network.tls.client.certificate.not_after |
|
tls.certificate.created_time |
network.tls.client.certificate.not_before |
|
tls.certificate.serial_number |
network.tls.client.certificate.serial |
|
tls.certificate.subject |
network.tls.client.certificate.subject |
|
tls.certificate.version |
network.tls.client.certificate.version |
|
tls.certificate.fingerprints.value |
network.tls.client.certificate.sha256 |
Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_id log field value is equal to 3 then, tls.certificate.fingerprints.value log field is mapped to the network.tls.client.certificate.sha256 UDM field. |
tls.certificate.fingerprints.value |
network.tls.client.certificate.sha1 |
Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_id log field value is equal to 2 then, tls.certificate.fingerprints.value log field is mapped to the network.tls.client.certificate.sha1 UDM field. |
tls.certificate.fingerprints.value |
network.tls.client.certificate.md5 |
Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_id log field value is equal to 1 then, tls.certificate.fingerprints.value log field is mapped to the network.tls.client.certificate.md5 UDM field. |
tls.ja3_hash.value |
network.tls.client.ja3 |
|
tls.ja3s_hash.value |
network.tls.server.ja3s |
|
tls.sni |
network.tls.client.server_name |
|
tls.client_ciphers |
network.tls.client.supported_ciphers |
|
tls.version |
network.tls.version_protocol |
|
src_endpoint.svc_name |
principal.application |
If the class_name log field value contain one of the following values
src_endpoint.svc_name log field is mapped to the principal.application UDM field. |
src_endpoint.uid |
principal.asset_id |
If the class_name log field value contain one of the following values
ASSET ID: %{src_endpoint.uid} log field is mapped to the principal.asset_id UDM field. |
src_endpoint.domain |
principal.domain.name |
If the class_name log field value contain one of the following values
src_endpoint.domain log field is mapped to the principal.domain.name UDM field. |
src_endpoint.hostname |
principal.hostname |
If the class_name log field value contain one of the following values
src_endpoint.hostname log field is mapped to the principal.hostname UDM field. |
src_endpoint.ip |
principal.ip |
If the class_name log field value contain one of the following values
src_endpoint.ip log field is mapped to the principal.ip UDM field. |
src_endpoint.location.city |
principal.location.city |
If the class_name log field value contain one of the following values
src_endpoint.location.city log field is mapped to the principal.location.city UDM field. |
src_endpoint.location.country |
principal.location.country_or_region |
If the class_name log field value contain one of the following values
src_endpoint.location.country log field is mapped to the principal.location.country_or_region UDM field. |
src_endpoint.location.region |
principal.location.name |
If the class_name log field value contain one of the following values
src_endpoint.location.region log field is mapped to the principal.location.name UDM field. |
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
If the class_name log field value contain one of the following values
src_endpoint.location.coordinates.1 log field is mapped to the principal.location.region_coordinates.latitude UDM field. |
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
If the class_name log field value contain one of the following values
src_endpoint.location.coordinates.0 log field is mapped to the principal.location.region_coordinates.longitude UDM field. |
src_endpoint.mac |
principal.mac |
If the class_name log field value contain one of the following values
src_endpoint.mac log field is mapped to the principal.mac UDM field. |
src_endpoint.port |
principal.port |
If the class_name log field value contain one of the following values
src_endpoint.port log field is mapped to the principal.port UDM field. |
proxy.svc_name |
intermediary.application |
|
proxy.uid |
intermediary.asset_id |
|
proxy.domain |
intermediary.domain.name |
|
proxy.hostname |
intermediary.hostname |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
proxy.intermediate_ips |
intermediary.ip |
|
proxy.ip |
intermediary.ip |
|
src_endpoint.intermediate_ips |
intermediary.ip |
Iterate through log field src_endpoint.intermediate_ips, then src_endpoint.intermediate_ips log field is mapped to the intermediary.ip UDM field. |
proxy.location.city |
intermediary.location.city |
|
proxy.location.country |
intermediary.location.country_or_region |
|
proxy.location.region |
intermediary.location.name |
|
proxy.location.coordinates.1 |
intermediary.location.region_coordinates.latitude |
|
proxy.port |
intermediary.port |
|
proxy.location.coordinates.0 |
intermediary.location.region_coordinates.longitude |
|
proxy.mac |
intermediary.mac |
|
dst_endpoint.svc_name |
target.application |
If the class_name log field value contain one of the following values
class_name log field value is equal to Authentication and if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. Else, if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.uid |
target.asset_id |
If the class_name log field value contain one of the following values
ASSET ID: %{dst_endpoint.uid} log field is mapped to the target.asset_id UDM field. |
dst_endpoint.domain |
target.domain.name |
If the class_name log field value contain one of the following values
dst_endpoint.domain log field is mapped to the target.domain.name UDM field. |
dst_endpoint.hostname |
target.hostname |
If the class_name log field value contain one of the following values
dst_endpoint.hostname log field is mapped to the target.hostname UDM field. |
dst_endpoint.ip |
target.ip |
If the class_name log field value contain one of the following values
dst_endpoint.ip log field is mapped to the target.ip UDM field. |
dst_endpoint.location.city |
target.location.city |
If the class_name log field value contain one of the following values
dst_endpoint.location.city log field is mapped to the target.location.city UDM field. |
dst_endpoint.location.country |
target.location.country_or_region |
If the class_name log field value contain one of the following values
dst_endpoint.location.country log field is mapped to the target.location.country_or_region UDM field. |
dst_endpoint.location.region |
target.location.name |
If the class_name log field value contain one of the following values
dst_endpoint.location.region log field is mapped to the target.location.name UDM field. |
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
If the class_name log field value contain one of the following values
dst_endpoint.location.coordinates.1 log field is mapped to the target.location.region_coordinates.latitude UDM field. |
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
If the class_name log field value contain one of the following values
dst_endpoint.location.coordinates.0 log field is mapped to the target.location.region_coordinates.longitude UDM field. |
dst_endpoint.mac |
target.mac |
If the class_name log field value contain one of the following values
dst_endpoint.mac log field is mapped to the target.mac UDM field. |
dst_endpoint.port |
target.port |
If the class_name log field value contain one of the following values
dst_endpoint.port log field is mapped to the target.port UDM field. |
status_id |
security_result.action |
If the status_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if status_id log field value is equal to 2 then, the security_result.action UDM field is set to FAIL. |
status |
security_result.action_details |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
enrichments.name |
security_result.detection_fields [enrichments_name] |
Iterate through log field enrichments.name, then enrichments.name log field is mapped to the security_result.detection_fields [enrichments_name] UDM field. |
enrichments.provider |
security_result.detection_fields [enrichments_provider] |
Iterate through log field enrichments.provider, then enrichments.provider log field is mapped to the security_result.detection_fields [enrichments_provider] UDM field. |
enrichments.type |
security_result.detection_fields [enrichments_type] |
Iterate through log field enrichments.type, then enrichments.type log field is mapped to the security_result.detection_fields [enrichments_type] UDM field. |
enrichments.value |
security_result.detection_fields [enrichments_value] |
Iterate through log field enrichments.value, then enrichments.value log field is mapped to the security_result.detection_fields [enrichments_value] UDM field. |
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
start_time |
security_result.detection_fields [start_time] |
|
class_uid |
security_result.detection_fields [class_uid] |
|
rcode |
security_result.detection_fields [rcode] |
|
response_time |
security_result.detection_fields [response_time] |
|
status_detail |
security_result.detection_fields [status_detail] |
|
status_code |
security_result.detection_fields [status_code] |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
tls.certificate.uid |
additional.fields[tls_certificate_uid] |
|
traffic.chunks |
additional.fields[traffic_chunks] |
|
traffic.chunks_in |
additional.fields[traffic_chunks_in] |
|
traffic.chunks_out |
additional.fields[traffic_chunks_out] |
Need more help? Get answers from Community members and Google SecOps professionals.