Jamf Protect のログを収集する
このドキュメントでは、Google Security Operations フィードを設定して Jamf Protect のログを収集する方法と、ログフィールドが Google Security Operations の統合データモデル(UDM)フィールドにマッピングされる方法について説明します。このドキュメントでは、サポートされている Jamf Protect のバージョンについても説明します。
詳細については、Google Security Operations へのデータの取り込みの概要をご覧ください。
一般的なデプロイは、Jamf Protect と Google Security Operations にログを送信するように構成された Google Security Operations フィードで構成されます。お客様のデプロイはそれぞれ異なり、より複雑になる場合もあります。
Jamf Protect。ログの収集元となる Jamf Protect プラットフォーム。
Google Security Operations フィードJamf Protect からログを取得して Google Security Operations にログを書き込む Google Security Operations フィード。
Google Security OperationsGoogle Security Operations は、Jamf Protect のログを保持して分析します。
取り込みラベルによって、未加工のログデータを構造化 UDM 形式に正規化するパーサーが識別されます。このドキュメントの情報は、取り込みラベル JAMF_PROTECT
- Jamf Protect が設定されていることを確認します。
- Jamf Protect バージョン 4.0.0 以降を使用していることを確認します。
- デプロイ アーキテクチャ内のすべてのシステムが、UTC タイムゾーンで構成されていることを確認します。
Google Security Operations でフィードを構成して、Jamf Protect のログを取り込む
Google Security Operations で取り込みフィードを設定するには、Amazon S3 または Webhook を使用できますが、Amazon S3 を使用することをおすすめします。
Amazon S3 を使用して Google SecOps に取り込みフィードを設定する
- [SIEM 設定] > [フィード] に移動します。
- [Add New] をクリックします。
- [ソースタイプ] として [Amazon S3] を選択します。
- Jamf Protect のフィードを作成するには、[ログタイプ] として [Jamf Protect] を選択します。
- [次へ] をクリックします。
- フィードを保存し、[送信] をクリックします。
- Jamf Protect で使用するフィード名から フィード ID をコピーします。
Webhook を使用して Google SecOps に取り込みフィードを設定する
- [SIEM 設定] > [フィード] に移動します。
- [新しく追加] をクリックします。
- [フィード名] フィールドに、フィードの名前を入力します。
- [ソースタイプ] リストで、[Webhook] を選択します。
- Jamf Protect のフィードを作成するには、[ログタイプ] として [Jamf Protect] を選択します。
- [次へ] をクリックします。
- 省略可: 次の入力パラメータの値を指定します。
- 分割区切り文字: ログ行を区切るために使用される区切り文字(
など)。 - アセットの名前空間: アセットの名前空間。
- 取り込みラベル: このフィードのイベントに適用されるラベル。
- 分割区切り文字: ログ行を区切るために使用される区切り文字(
- [次へ] をクリックします。
- [Finalize] 画面で新しいフィードの設定を確認し、[送信] をクリックします。
- [秘密鍵を生成する] をクリックして、このフィードを認証するためのシークレット キーを生成します。
- シークレット キーをコピーして保存します。この秘密鍵を再び表示することはできません。必要に応じて、新しい秘密鍵を再生成できますが、この操作により、以前の秘密鍵は無効になります。
- [詳細] タブで、[エンドポイント情報] フィールドから、フィードのエンドポイント URL をコピーします。この HTTPS URL は、Jamf Protect クライアント アプリケーションを設定するために必要となります。
- [完了] をクリックします。
Webhook フィードの API キーを作成する
Google Cloud コンソール > [認証情報] に移動します。
[認証情報を作成] をクリックして [API キー] を選択します。
API キーのアクセスを Google Security Operations API に制限します。
Webhook フィード用に Jamf Protect を設定する
- Jamf Protect アプリケーションで、関連するアクション構成に移動します。
- 新しいデータ エンドポイントを追加するには、[アクションを作成] をクリックします。
- プロトコルとして [HTTP] を選択します。
- [URL] フィールドに、Google Security Operations API エンドポイントの HTTPS URL を入力します。(これは、Webhook フィードの設定からコピーした [エンドポイント情報] フィールドです。必要な形式にすでになっています)。
次の形式でカスタム ヘッダーの一部として API キーとシークレット キーを指定して、認証を有効にします。
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRET
推奨事項: API キーは URL ではなくヘッダーとして指定してください。Webhook クライアントがカスタム ヘッダーをサポートしていない場合は、次の形式のクエリ パラメータを使用して API キーとシークレット キーを指定できます。
: フィードのエンドポイント URL。API_KEY
: Google Security Operations の認証に使用する API キー。SECRET
: フィードの認証用に生成したシークレット キー。
[ログの収集] セクションで、[テレメトリー] を選択します。
[送信] をクリックします。
Google Security Operations フィードの詳細については、Google Security Operations フィードのドキュメントをご覧ください。各フィードタイプの要件については、タイプ別のフィード構成をご覧ください。
フィードの作成時に問題が発生した場合は、Google Security Operations サポートにお問い合わせください。
サポートされている Jamf Protect ログタイプ
Jamf Protect パーサーがサポートするログタイプを次の表に示します。
イベントの種類 | 表示名 |
GPClickEvent | 合成クリック イベント |
GPDownloadEvent | ダウンロード イベント |
GPFSEvent | ファイルシステム イベント |
GPGatekeeperEvent | ゲートキーパー イベント |
GPKeylogRegisterEvent | キーロガー イベント |
GPMRTEvent | イベントのモニタリング |
GPPreventedExecutionEvent | カスタムの拒否リストイベント |
GPProcessEvent | プロセス イベント |
GPThreatMatchExecEvent | 脅威防止イベント |
GPUSBEvent | USB イベント |
GPUnifiedLogEvent | 統合ログイベント |
Auth マウント | デバイス コントロール イベント |
フィールド マッピング リファレンス
このセクションでは、Google Security Operations パーサーが Jamf Protect フィールドを Google Security Operations の統合データモデル(UDM)フィールドにマッピングする方法について説明します。
フィールド マッピング リファレンス: イベント識別子からイベントタイプへ
ログタイプと対応する UDM のイベントの種類を示します。
Event Identifier | Event Type |
GPClickEvent |
GPDownloadEvent |
GPFSEvent |
GPGatekeeperEvent |
GPKeylogRegisterEvent |
GPMRTEvent |
GPPreventedExecutionEvent |
GPProcessEvent |
GPThreatMatchExecEvent |
GPUSBEvent |
GPUnifiedLogEvent |
Auth-mount |
フィールド マッピング リファレンス: JAMF_PROTECT
ログタイプのログ フィールドと、対応する UDM フィールドを示します。
Log field | UDM mapping | Logic |
about.platform |
The about.platform UDM field is set to MAC . |
caid |
about.labels[caid] (deprecated) |
caid |
additional.fields[caid] |
certid |
principal.asset.attribute.labels [certid] |
context.identity.claims.certid |
principal.user.attribute.permissions.description |
context.identity.claims.clientid |
principal.user.attribute.labels [context_identity_claims_clientid] |
input.eventType |
metadata.product_event_type |
input.host.hostname |
principal.hostname |
input.host.ips |
principal.ip |
input.host.provisioningUDID |
principal.asset.product_object_id |
input.host.serial |
principal.asset.hardware.serial_number |
input.match.actions.name |
security_result.outcomes [input_match_actions_name] |
input.match.actions.parameters.message |
security_result.summary |
If the index value is equal to 0 , then the input.match.actions.parameters.message log field is mapped to the security_result.summary UDM field.Else, the input.match.actions.parameters.message log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.actions.parameters.title |
security_result.description |
If the index value is equal to 0 , then the input.match.actions.parameters.title log field is mapped to the security_result.description UDM field.Else, the input.match.actions.parameters.title log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.context.name |
security_result.detection_fields.key |
input.match.context.value |
security_result.detection_fields.value [Name] |
input.match.context.valueType |
input.match.custom |
security_result.detection_fields [input_match_custom] |
input.match.event.blocked |
security_result.action |
If the input.match.event.blocked log field value is not empty, then the security_result.action UDM field is set to BLOCK . |
context.identity.claims.hd, input.match.uuid |
security_result.url_back_to_product |
The security_result.url_back_to_product UDM field is set to https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid . |
input.match.event.category |
security_result.category_details |
input.match.event.clickType |
principal.labels[input_match_event_click_type] (deprecated) |
If the input.match.event.clickType log field value is equal to 0 , then the principal.labels.value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the principal.labels.value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the principal.labels.value UDM field is set to 4 - Right Up . |
input.match.event.clickType |
additional.fields[input_match_event_click_type] |
If the input.match.event.clickType log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Right Up . |
input.match.event.composedMessage |
principal.labels[input_match_event_composed_message] (deprecated) |
input.match.event.composedMessage |
additional.fields[input_match_event_composed_message] |
input.match.event.dev |
principal.labels[input_match_event_dev] (deprecated) |
input.match.event.dev |
additional.fields[input_match_event_dev] |
input.match.event.eventID |
principal.labels[input_match_event_eventID] (deprecated) |
input.match.event.eventID |
additional.fields[input_match_event_eventID] |
input.match.event.gid |
principal.user.group_identifiers |
input.match.event.iNode |
target.file.stat_inode |
input.match.event.matchType |
principal.labels[input_match_event_match_type] (deprecated) |
input.match.event.matchType |
additional.fields[input_match_event_match_type] |
input.match.event.matchValue |
security_result.threat_name |
If the input.match.event.matchType log field value is not empty, then the input.match.event.matchValue log field is mapped to the security_result.threat_name UDM field. |
input.match.event.name |
about.labels[input_match_event_name] (deprecated) |
input.match.event.name |
additional.fields[input_match_event_name] |
input.match.facts.name |
metadata.description |
If the index value is equal to 0 , then the input.match.facts.name log field is mapped to the metadata.description UDM field. |
input.match.event.path |
target.process.file.full_path |
input.match.event.pid |
principal.process.pid |
input.match.event.prevFile |
src.file.full_path |
If the input.match.event.prevFile log field value is not empty, then the input.match.event.prevFile log field is mapped to the src.file.full_path UDM field. |
input.match.event.process |
principal.process.file.names |
input.match.event.process.args |
target.process.command_line_history |
input.match.event.process.gid |
target.group.product_object_id |
input.match.event.process.name |
target.process.file.names |
input.match.event.process.originalParentPID |
target.process.parent_process.pid |
input.match.event.process.path |
target.process.file.full_path |
input.match.event.process.pgid |
target.labels[input_match_event_processes_pgid] (deprecated) |
input.match.event.process.pgid |
additional.fields[input_match_event_processes_pgid] |
input.match.event.process.pid |
target.process.pid |
input.match.event.process.ppid |
target.labels[input_match_event_process_ppid] (deprecated) |
input.match.event.process.ppid |
additional.fields[input_match_event_process_ppid] |
input.match.event.process.responsiblePID |
target.labels[input_match_event_process_responsible_pid] (deprecated) |
input.match.event.process.responsiblePID |
additional.fields[input_match_event_process_responsible_pid] |
input.match.event.process.rgid |
target.labels[input_match_event_process_rgid] (deprecated) |
input.match.event.process.rgid |
additional.fields[input_match_event_process_rgid] |
input.match.event.process.ruid |
target.labels[input_match_event_process_ruid] (deprecated) |
input.match.event.process.ruid |
additional.fields[input_match_event_process_ruid] |
input.match.event.process.signingInfo.appid |
target.user.attribute.labels [input_match_event_process_sign_appid] |
input.match.event.process.signingInfo.authorities |
target.user.attribute.permissions |
input.match.event.process.signingInfo.cdhash |
target.user.attribute.labels [input_match_event_process_sign_cdhash] |
input.match.event.process.signingInfo.entitlements |
target.user.attributes.permissions |
input.match.event.process.signingInfo.signerType |
target.user.attribute.labels [input_match_event_process_sign_signer_type] |
If the input.related.process.signingInfo.signerType log field value is equal to 0 , then the target.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.process.signingInfo.signerType log field value is equal to 1 , then the target.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.process.signingInfo.signerType log field value is equal to 2 , then the target.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.process.signingInfo.signerType log field value is equal to 3 , then the target.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.process.signingInfo.signerType log field value is equal to 4 , then the target.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.match.event.process.signingInfo.status |
target.user.attribute.labels [input_match_event_process_sign_status] |
input.match.event.process.signingInfo.statusMessage |
target.labels[input_match_event_process_sign_status_message] (deprecated) |
input.match.event.process.signingInfo.statusMessage |
additional.fields[input_match_event_process_sign_status_message] |
input.match.event.process.signingInfo.teamid |
target.user.group_identifiers |
input.match.event.process.startTimestamp |
target.labels[input_match_event_process_start_time_stamp] (deprecated) |
input.match.event.process.startTimestamp |
additional.fields[input_match_event_process_start_time_stamp] |
input.match.event.process.uid |
target.labels[input_match_event_process_uid] (deprecated) |
input.match.event.process.uid |
additional.fields[input_match_event_process_uid] |
input.match.event.process.uuid |
target.process.product_specific_process_id |
The Process Uuid: input.match.event.process.uuid log field is mapped to the target.process.product_specific_process_id UDM field. |
input.match.event.processIdentifier |
target.process.pid |
input.match.event.processImagePath |
target.process.file.full_path |
input.match.event.rateLimitingSecs |
principal.labels[input_match_event_rate_limiting_secs] (deprecated) |
input.match.event.rateLimitingSecs |
additional.fields[input_match_event_rate_limiting_secs] |
input.match.event.scriptPath |
principal.labels[input_match_event_script_path] (deprecated) |
input.match.event.scriptPath |
additional.fields[input_match_event_script_path] |
input.match.event.sender |
principal.labels[input_match_event_sender] (deprecated) |
input.match.event.sender |
additional.fields[input_match_event_sender] |
input.match.event.senderImagePath |
principal.labels[input_match_event_sender_image_path] (deprecated) |
input.match.event.senderImagePath |
additional.fields[input_match_event_sender_image_path] |
input.match.event.subsystem |
principal.labels[input_match_event_subsystem] (deprecated) |
input.match.event.subsystem |
additional.fields[input_match_event_subsystem] |
input.match.event.subType |
principal.labels[input_match_event_sub_type] (deprecated) |
If the input.match.event.subType log field value is equal to 7 , then the principal.labels.value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the principal.labels.value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the principal.labels.value UDM field is set to 43190 - Posix Spawn . |
input.match.event.subType |
additional.fields[input_match_event_sub_type] |
If the input.match.event.subType log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the additional.fields.value.string_value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the additional.fields.value.string_value UDM field is set to 43190 - Posix Spawn . |
input.match.event.tags |
security_result.rule_labels [input_match_event_tags] |
input.match.event.targetpid |
target.process.pid |
input.match.event.timestamp |
metadata.event_timestamp |
input.match.event.type |
target.labels[input_match_event_type] (deprecated) |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the target.labels.value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the target.labels.value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the target.labels.value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the target.labels.value UDM field is set to 0 - Exit . |
input.match.event.type |
additional.fields[input_match_event_type] |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 0 - Exit . |
input.match.event.uid |
principal.user.userid |
input.match.event.uuid |
about.labels[input_match_event_uuid] (deprecated) |
input.match.event.uuid |
additional.fields[input_match_event_uuid] |
input.match.facts.actions.name |
security_result.action_details |
If the index value is equal to 0 , then the input.match.facts.actions.name log field is mapped to the security_result.action_details UDM field.Else, the input.match.facts.actions.name log field is mapped to the security_result.about.labels.value UDM field. |
input.match.facts.actions.parameters.id |
security_result.detection_fields [input_match_facts_actions_parameters_id] |
input.match.facts.actions.parameters.message |
security_result.detection_fields [input_match_facts_actions_parameters_message] |
input.match.facts.actions.parameters.title |
security_result.detection_fields [input_match_facts_actions_parameters_title] |
input.match.facts.context.name |
security_result.detection_fields.key |
input.match.facts.context.value |
security_result.detection_fields.value [Name] |
input.match.facts.context.valueType |
input.match.facts.human |
security_result.action |
If the input.match.facts.human log field value is matched with regex (?i)blocked , then the security_result.action UDM field is set to BLOCK . |
input.match.facts.human |
security_result.description |
If the index value is equal to 0 , then the input.match.facts.human log field is mapped to the security_result.description UDM field.Else, the input.match.facts.human log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.name |
security_result.summary |
If the index value is equal to 0 , then the input.match.facts.name log field is mapped to the security_result.summary UDM field.Else, the input.match.facts.name log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.severity |
security_result.detection_fields [input_match_facts_severity] |
input.match.facts.tags |
security_result.rule_labels [input_match_facts_tags] |
input.match.facts.uuid |
about.labels [input_match_facts_uuid] |
input.match.facts.version |
about.labels [input_match_facts_version] |
input.match.severity |
security_result.severity |
If the severity log field value is equal to 0 , then the security_result.severity UDM field is set to INFORMATIONAL .Else, if the severity log field value is equal to 1 , then the security_result.severity UDM field is set to LOW .Else, if the severity log field value is equal to 2 , then the security_result.severity UDM field is set to MEDIUM .Else, if the severity log field value is equal to 3 , then the security_result.severity UDM field is set to HIGH . |
input.match.tags |
security_result.rule_labels [input_match_tags] |
input.match.uuid |
metadata.product_log_id |
input.related.binaries.accessed |
security_result.about.labels [input_related_binaries_accessed] |
input.related.binaries.changed |
security_result.about.labels [input_related_binaries_changed] |
input.related.binaries.created |
security_result.about.file.first_seen_time |
If the index value is equal to 0 , then the input.related.binaries.created log field is mapped to the security_result.about.file.first_seen_time UDM field.Else, the input.related.binaries.created log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.fsid |
security_result.about.labels [input_related_binaries_fsid] |
input.related.binaries.gid |
security_result.about.labels [input_related_binaries_gid] |
input.related.binaries.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.binaries.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.binaries.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.isAppBundle |
security_result.about.labels [isAppBundle] |
input.related.binaries.isDirectory |
security_result.about.labels [isDirectory] |
input.related.binaries.isDownload |
security_result.about.labels [isDownload] |
input.related.binaries.isScreenShot |
security_result.about.labels [isScreenShot] |
input.related.binaries.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.binaries.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.binaries.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.binaries.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.binaries.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.binaries.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.binaries.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.binaries.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.binaries.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.binaries.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.binaries.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.authorities |
security_result.about.user.attribute.permissions |
input.related.binaries.signingInfo.cdhash |
security_result.about.labels [input_related_binaries_sign_cdhash] |
input.related.binaries.signingInfo.entitlements |
security_result.about.user.attribute.permisisons |
input.related.binaries.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type] |
If the input.related.binaries.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.binaries.signingInfo.status |
security_result.about.user.attribute.labels [input_related_binaries_sign_status] |
input.related.binaries.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
input.related.binaries.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.size |
security_result.about.file.size |
If the index value is equal to 0 , then the input.related.binaries.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.binaries.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.binaries.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.binaries.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.xattrs |
security_result.about.user.attribute.labels [input_related_binaries_xattrs] |
input.related.files.accessed |
security_result.about.labels [input_related_files_accessed] |
input.related.files.changed |
security_result.about.labels [input_related_files_changed] |
input.related.files.created |
security_result.about.labels [input_related_files_created] |
input.related.files.downloadedFrom |
security_result.about.labels [input_related_files_downloaded_from] |
input.related.files.fsid |
security_result.about.labels [input_related_files_downloaded_fsid] |
input.related.files.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.files.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.files.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.files.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.files.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.isAppBundle |
security_result.about.labels [input_related_files_downloaded_is_app_bundle] |
input.related.files.isDirectory |
security_result.about.labels [input_related_files_is_directory] |
input.related.files.isDownload |
security_result.about.labels [input_related_files_is_download] |
input.related.files.isScreenShot |
security_result.about.labels [input_related_files_is_screenshot] |
input.related.files.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.files.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.files.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.files.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.files.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.files.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.files.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.files.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.files.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.files.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.files.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.files.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.files.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.authorities |
security_result.about.user.attribute.permissions |
input.related.files.signingInfo.cdhash |
security_result.about.labels [[input_related_files_sign_cdhash] |
input.related.files.signingInfo.entitlements |
security_result.about.user.attribute.permissions |
input.related.files.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type] |
If the input.related.files.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.files.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.files.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.files.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.files.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.files.signingInfo.status |
security_result.about.user.attribute.labels [input_related_files_signing_info_status] |
input.related.files.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_files_signing_info_status_message] |
input.related.files.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.size |
security_result.about.file.size |
If the index value is equal to 0 , then if the input.related.files.size log field value is not equal to 0 , then the input.related.files.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.files.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.files.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.files.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.xattrs |
security_result.about.labels [input_related_files_xattrs] |
input.related.groups.gid |
security_result.about.group.attribute.labels [input_related_groups_gid] |
input.related.groups.name |
security_result.about.group.group_display_name |
If the index value is equal to 0 , then the input.related.groups.name log field is mapped to the security_result.about.group.group_display_name UDM field.Else, the input.related.groups.name log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.groups.uuid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.groups.uuid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.groups.uuid log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.processes.appPath |
security_result.about.labels [input_related_processes_app_path] |
input.related.processes.args |
security_result.about.process.command_line_history |
input.related.processes.exitCode |
security_result.about.labels [input_related_processes_exit_code] |
input.related.processes.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.processes.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.processes.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.name |
security_result.about.process.file.names |
input.related.processes.originalParentPID |
security_result.about.process.parent_process.pid |
If the index value is equal to 0 , then the input.related.processes.originalParentPID log field is mapped to the security_result.about.process.parent_process.pid UDM field.Else, the input.related.processes.originalParentPID log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.path |
security_result.about.process.file.full_path |
If the index value is equal to 0 , then the input.related.processes.path log field is mapped to the security_result.about.process.file.full_path UDM field.Else, the input.related.processes.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.pgid |
security_result.about.labels [input_related_process_pgid] |
input.related.processes.pid |
security_result.about.process.pid |
If the index value is equal to 0 , then the input.related.processes.pid log field is mapped to the security_result.about.process.pid UDM field.Else, the input.related.processes.pid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.ppid |
security_result.about.labels [input_related_processes_ppid] |
input.related.processes.responsiblePID |
security_result.about.labels [input_related_processes_responsible_pid] |
input.related.processes.rgid |
security_result.about.labels [input_related_processes_rgid] |
input.related.processes.ruid |
security_result.about.labels [input_related_processes_ruid] |
input.related.processes.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.signingInfo.authorities |
security_result.about.user.attributes.permission |
input.related.processes.signingInfo.cdhash |
security_result.about.user.attribute.labels [input_related_processes_sign_cdhash] |
input.related.processes.signingInfo.entitlements |
security_result.about.user.attributes.permission |
input.related.processes.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_processes_sign_signer_type] |
If the input.related.processes.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.processes .signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.processes.signingInfo.status |
security_result.about.user.attribute.labels [input_related_processes_sign_status] |
input.related.processes.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
input.related.processes.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.startTimestamp |
security_result.about.labels [input_related_processes_start_time_stamp] |
input.related.processes.tty |
security_result.about.labels [input_related_processes_tty] |
input.related.processes.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.processes.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.processes.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.processes.uuid |
security_result.about.process.product_specific_process_id |
If the index value is equal to 0 , then the Process Uuid: input.related.processes.uuid log field is mapped to the security_result.about.process.product_specific_process_id UDM field.Else, the input.related.processes.uuid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.users.name |
security_result.about.user.user_display_name |
If the index value is equal to 0 , then the input.related.users.name log field is mapped to the security_result.about.user.user_display_name UDM field.Else, the input.related.users.name log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.users.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.users.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uuid |
security_result.about.user.product_object_id |
If the index value is equal to 0 , then the input.related.users.uuid log field is mapped to the security_result.about.user.product_object_id UDM field.Else, the input.related.users.uuid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
key |
about.labels[key] (deprecated) |
key |
additional.fields[key] |
path |
target.file.full_path |
If the index value is equal to 0 , then the path log field is mapped to the target.file.full_path UDM field.Else, the path log field is mapped to the target.labels.value UDM field. |
queue |
principal.labels[queue] (deprecated) |
queue |
additional.fields[queue] |
region |
principal.location.name |
timestamp |
metadata.creation_timestamp |
topic |
about.labels[topic] (deprecated) |
topic |
additional.fields[topic] |
topicType |
about.labels[topicType] (deprecated) |
topicType |
additional.fields[topicType] |
version |
metadata.product_version |
is_alert |
The is_alert UDM field is set to TRUE . |
is_significant |
The is_significant UDM field is set to TRUE . |
input.eventType |
metadata.event_type |
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_PROTECT . |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF . |
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to STORAGE_BUCKET . |
target.resource.resource_type |
The target.resource.resource_type UDM field is set to STORAGE_BUCKET . |
input.match.event.options |
about.labels[input_match_event_options] (deprecated) |
input.match.event.options |
additional.fields[input_match_event_options] |
input.match.event.sourcePID |
principal.process.pid |
input.match.event.destinationPID |
target.process.pid |
image.match.event.detection |
security_result.detection_fields [image_match_event_detection] |
input.match.type |
target.asset.attribute.labels [input_match_type] |
If the input.match.type log field value is equal to 0 , then the target.asset.attribute.labels.value UDM field is set to 0 - Device Inserted .Else, if the input.match.type log field value is equal to 1 , then the target.asset.attribute.labels.value UDM field is set to 1 - Device Removed . |
input.match.usbAddress |
target.asset.attribute.labels [input_match_usb_address] |
input.match.event.device.mediaPath |
target.asset.attribute.labels [input_match_device_media_path] |
input.match.event.device.protocol |
target.asset.attribute.labels [input_match_device_protocol] |
input.match.event.device.deviceModel |
target.asset.hardware.model |
input.match.event.device.isRemovable |
target.asset.attribute.labels [input_match_device_is_removable] |
input.match.event.device.mediaName |
target.asset.attribute.labels [input_match_device_media_name] |
input.match.event.device.bsdMinor |
target.asset.attribute.labels [input_match_device_bsd_minor] |
input.match.event.device.vendorName |
target.asset.software.vendor_name |
input.match.event.device.isWhole |
target.asset.attribute.labels [input_match_device_is_whole] |
input.match.event.device.unit |
target.asset.attribute.labels [input_match_device_unit] |
input.match.event.device.deviceSubclass |
target.asset.attribute.labels [input_match_device_subclass] |
input.match.event.device.serialNumber |
target.asset.hardware.serial |
input.match.event.device.bsdUnit |
target.asset.attribute.labels [input_match_device_bsd_unit] |
input.match.event.device.busPath |
target.asset.attribute.labels [input_match_device_bus_path] |
input.match.event.device.isLeaf |
target.asset.attribute.labels [input_match_device_is_leaf] |
input.match.event.device.isInternal |
target.asset.attribute.labels [input_match_device_is_internal] |
input.match.event.device.busName |
target.asset.attribute.labels [input_match_device_bus_name] |
input.match.event.device.bsdMajor |
target.asset.attribute.labels [input_match_device_bsd_major] |
input.match.event.device.isEjectable |
target.asset.attribute.labels [input_match_device_is_ejectable] |
input.match.event.device.isEncrypted |
target.asset.attribute.labels [input_match_device_is_encrypted] |
input.match.event.device.isEncryptable |
target.asset.attribute.labels [input_match_device_is_encryptable] |
input.match.event.device.devicePath |
target.asset.attribute.labels [input_match_device_path] |
input.match.event.device.bsdName |
target.asset.attribute.labels [input_match_device_bsd_name] |
input.match.event.device.vendorId |
target.asset.attribute.labels [input_match_device_vendor_id] |
input.match.event.device.content |
target.asset.attribute.labels [input_match_device_content] |
input.match.event.device.revision |
target.asset.attribute.labels [input_match_device_revision] |
input.match.event.device.size |
target.asset.attribute.labels [input_match_device_size] |
input.match.event.device.isNetworkVolume |
target.asset.attribute.labels [input_match_device_is_network_volume] |
input.match.event.device.blocksize |
target.asset.attribute.labels [input_match_device_block_size] |
input.match.event.device.productName |
target.asset.attribute.labels [input_match_device_product_name] |
input.match.event.device.mediaKind |
target.asset.attribute.labels [input_match_device_media_kind] |
input.match.event.device.isWritable |
target.asset.attribute.labels [input_match_device_is_writable] |
input.match.event.device.productId |
target.asset.product_object_id |
input.match.event.device.productId |
target.asset.asset_id |
The Asset Id: input.match.event.device.productId log field is mapped to the target.asset.asset_id UDM field. |
input.match.event.device.deviceClass |
target.asset.category |
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_device_encryption_detail] |
input.match.event.device.volumeKind |
target.asset.attribute.labels [input_match_event_device_volume_kind] |
input.match.event.device.volumeName |
target.asset.attribute.labels [input_match_event_device_volume_name] |
input.match.event.device.volumeType |
target.asset.attribute.labels [input_match_event_device_volume_type] |
input.match.event.device.isMountable |
target.asset.attribute.labels [input_match_event_device_is_mountable] |
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_event_device_encryption_detail] |
input.match.event.fsid |
principal.labels [input_match_event_fsid] |
input.match.event.bfree |
principal.labels[input_match_event_bfree] (deprecated) |
input.match.event.bfree |
additional.fields[input_match_event_bfree] |
input.match.event.bsize |
principal.labels[input_match_event_bsize] (deprecated) |
input.match.event.bsize |
additional.fields[input_match_event_bsize] |
input.match.event.ffree |
principal.labels[input_match_event_ffree] (deprecated) |
input.match.event.ffree |
additional.fields[input_match_event_ffree] |
input.match.event.files |
principal.labels[input_match_event_files] (deprecated) |
input.match.event.files |
additional.fields[input_match_event_files] |
input.match.event.flags |
principal.labels[input_match_event_flags] (deprecated) |
input.match.event.flags |
additional.fields[input_match_event_flags] |
input.match.event.owner |
principal.user.user_display_name |
input.match.event.bavail |
principal.labels[input_match_event_bvail] (deprecated) |
input.match.event.bavail |
additional.fields[input_match_event_bvail] |
input.match.event.blocks |
principal.labels[input_match_event_blocks] (deprecated) |
input.match.event.blocks |
additional.fields[input_match_event_blocks] |
input.match.event.iosize |
principal.labels[input_match_event_iosize] (deprecated) |
input.match.event.iosize |
additional.fields[input_match_event_iosize] |
input.match.event.version |
principal.labels[input_match_event_version] (deprecated) |
input.match.event.version |
additional.fields[input_match_event_version] |
input.match.event.deadline |
principal.labels[input_match_event_deadline] (deprecated) |
input.match.event.deadline |
additional.fields[input_match_event_deadline] |
input.match.event.flagsExt |
principal.labels[input_match_event_flags_ext] (deprecated) |
input.match.event.flagsExt |
additional.fields[input_match_event_flags_ext] |
input.match.event.fsSubType |
principal.labels[input_match_event_fs_subtype] (deprecated) |
input.match.event.fsSubType |
additional.fields[input_match_event_fs_subtype] |
input.match.event.mntOnName |
principal.labels[input_match_event_mnt_on_name] (deprecated) |
input.match.event.mntOnName |
additional.fields[input_match_event_mnt_on_name] |
input.match.event.fsTypeName |
principal.labels[input_match_event_fs_type_name] (deprecated) |
input.match.event.fsTypeName |
additional.fields[input_match_event_fs_type_name] |
input.match.event.isReadOnly |
principal.labels[input_match_event_is_read_only] (deprecated) |
input.match.event.isReadOnly |
additional.fields[input_match_event_is_read_only] |
input.match.event.mntFromName |
principal.labels[input_match_event_mnt_from_name] (deprecated) |
input.match.event.mntFromName |
additional.fields[input_match_event_mnt_from_name] |
input.match.event.machTimestamp |
principal.labels[input_match_event_mach_timestamp] (deprecated) |
input.match.event.machTimestamp |
additional.fields[input_match_event_mach_timestamp] |
input.match.event.sequenceNumber |
principal.labels[input_match_event_seq_number] (deprecated) |
input.match.event.sequenceNumber |
additional.fields[input_match_event_seq_number] |
input.match.event.globalSequenceNumber |
principal.labels[input_match_event_global_seq_number] (deprecated) |
input.match.event.globalSequenceNumber |
additional.fields[input_match_event_global_seq_number] |