此页面由 Cloud Translation API 翻译。

收集 Jamf Protect 日志

支持以下语言：

Google SecOps SIEM

本文档介绍了如何通过设置 Google Security Operations 来收集 Jamf Protect 日志 Feed 以及日志字段与 Google Security Operations 统一数据模型 (UDM) 字段之间的对应关系。本文档还列出了受支持的 Jamf Protect 版本。

如需了解详情，请参阅将数据注入到 Google Security Operations 中。

典型部署包括 Jamf Protect 和配置为向 Google Security Operations 发送日志的 Google Security Operations Feed。每个客户部署都可能不同，并且可能更复杂。

该部署包含以下组件：

Jamf Protect。您要从中收集日志的 Jamf Protect 平台。
Google Security Operations Feed。从 Jamf Protect 提取日志并将日志写入 Google Security Operations 的 Google Security Operations Feed。
Google Security Operations。Google Security Operations 会保留和分析来自 Jamf Protect 的日志。

提取标签用于标识将原始日志数据标准化的解析器结构化 UDM 格式本文档中的信息适用于具有 JAMF_PROTECT 注入标签的解析器。

准备工作

确保您使用的是 Jamf Protect 4.0.0 或更高版本。
确保部署架构中的所有系统都配置了 UTC 时区。

在 Google Security Operations 中配置 Feed 以提取 Jamf Protect 日志

您可以使用 Amazon S3 或 webhook 在 Google Security Operations 中设置提取 Feed，但我们建议您使用 Amazon S3。

使用 Amazon S3 设置提取 Feed

在 Google Security Operations 菜单中，选择 Settings，然后点击 Feed。
点击 Add New（新增）。
选择 Amazon S3 作为来源类型。
如要为 Jamf Protect 创建 Feed，请选择 Jamf Protect 提醒作为日志类型。
点击下一步。
保存 Feed，然后提交。
从 Feed 名称中复制 Feed ID，以便在 Jamf Protect 中使用。

使用网络钩子设置提取 Feed

在 Google Security Operations 菜单中，选择设置，然后点击 Feed。
点击新增。
在 Feed 名称字段中，输入 Feed 的名称。
在来源类型列表中，选择 Webhook。
如需为 Jamf Protect 创建 Feed，请选择 Jamf Protect Alerts 作为 Log Type（日志类型）。
点击下一步。
可选：为以下输入参数指定值：
- 分隔符：用于分隔日志行（例如 \n）的分隔符。
- 资产命名空间：资产命名空间。
- 提取标签：要应用于此 Feed 中的事件的标签。
点击下一步。
在敲定屏幕中检查新 Feed 配置，然后点击提交。
点击生成 Secret 密钥，生成用于对此 Feed 进行身份验证的 Secret 密钥。
复制并存储密钥，因为您无法再查看此密钥。您可以生成但重新生成密钥会导致先前的密钥会作废。
在详细信息标签页中，从端点信息字段复制 Feed 端点网址。您需要在 Jamf Protect Alerts 应用中指定此端点网址。
点击完成。
在 Jamf Protect 中指定端点网址。

如需详细了解 Google Security Operations Feed，请参阅 Google Security Operations Feed 文档。如需了解每种 Feed 类型的要求，请参阅按类型配置 Feed。

如果您在创建 Feed 时遇到问题，请与 Google Security Operations 支持团队联系。

支持的 Jamf Protect 日志类型

下表列出了 Jamf Protect 解析器支持的日志类型：

事件类型	显示名称
GPClickEvent	合成点击事件
GPDownloadEvent	下载事件
GPFSEvent	文件系统事件
GPGatekeeperEvent	接待员活动
GPKeylogRegisterEvent	键盘记录器事件
GPMRTEvent	监控事件
GPPreventedExecutionEvent	自定义阻止名单事件
GPProcessEvent	处理事件
GPThreatMatchExecEvent	威胁防护事件
GPUSBEvent	USB 事件
GPUnifiedLogEvent	统一日志事件
身份验证装载	设备控制器事件

字段映射参考文档

本部分介绍 Google Security Operations 解析器如何将 Jamf Protect 字段映射到 Google Security Operations 统一数据模型 (UDM) 字段。

字段映射参考信息：事件标识符到事件类型

下表列出了 JAMF_PROTECT 日志类型及其对应的 UDM 事件类型。

Event Identifier	Event Type
`GPClickEvent`	`SCAN_UNCATEGORIZED`
`GPDownloadEvent`	`SCAN_FILE`
`GPFSEvent`	`SCAN_FILE`
`GPGatekeeperEvent`	`SCAN_UNCATEGORIZED`
`GPKeylogRegisterEvent`	`SCAN_UNCATEGORIZED`
`GPMRTEvent`	`SCAN_UNCATEGORIZED`
`GPPreventedExecutionEvent`	`SCAN_UNCATEGORIZED`
`GPProcessEvent`	`SCAN_PROCESS`
`GPThreatMatchExecEvent`	`SCAN_UNCATEGORIZED`
`GPUSBEvent`	`SCAN_UNCATEGORIZED`
`GPUnifiedLogEvent`	`SCAN_UNCATEGORIZED`
`Auth-mount`	`SCAN_UNCATEGORIZED`

字段映射参考：JAMF_PROTECT

下表列出了 JAMF_PROTECT 日志类型的日志字段及其对应的 UDM 字段。

Log field	UDM mapping	Logic
	`about.platform`	The `about.platform` UDM field is set to `MAC`.
`caid`	`about.labels[caid]` (deprecated)
`caid`	`additional.fields[caid]`
`certid`	`principal.asset.attribute.labels [certid]`
`context.identity.claims.certid`	`principal.user.attribute.permissions.description`
`context.identity.claims.clientid`	`principal.user.attribute.labels [context_identity_claims_clientid]`
`input.eventType`	`metadata.product_event_type`
`input.host.hostname`	`principal.hostname`
`input.host.ips`	`principal.ip`
`input.host.provisioningUDID`	`principal.asset.product_object_id`
`input.host.serial`	`principal.asset.hardware.serial_number`
`input.match.actions.name`	`security_result.outcomes [input_match_actions_name]`
`input.match.actions.parameters.message`	`security_result.summary`	If the `index` value is equal to `0`, then the `input.match.actions.parameters.message` log field is mapped to the `security_result.summary` UDM field. Else, the `input.match.actions.parameters.message` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.actions.parameters.title`	`security_result.description`	If the `index` value is equal to `0`, then the `input.match.actions.parameters.title` log field is mapped to the `security_result.description` UDM field. Else, the `input.match.actions.parameters.title` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.context.name`	`security_result.detection_fields.key`
`input.match.context.value`	`security_result.detection_fields.value [Name]`
`input.match.context.valueType`
`input.match.custom`	`security_result.detection_fields [input_match_custom]`
`input.match.event.blocked`	`security_result.action`	If the `input.match.event.blocked` log field value is not empty, then the `security_result.action` UDM field is set to `BLOCK`.
`context.identity.claims.hd, input.match.uuid`	`security_result.url_back_to_product`	The `security_result.url_back_to_product` UDM field is set to `https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid`.
`input.match.event.category`	`security_result.category_details`
`input.match.event.clickType`	`principal.labels[input_match_event_click_type]` (deprecated)	If the `input.match.event.clickType` log field value is equal to `0`, then the `principal.labels.value` UDM field is set to `0 - Other`. Else, if the `input.match.event.clickType` log field value is equal to `1`, then the `principal.labels.value` UDM field is set to `1 - Left Down`. Else, if the `input.match.event.clickType` log field value is equal to `2`, then the `principal.labels.value` UDM field is set to `2 - Left Up`. Else, if the `input.match.event.clickType` log field value is equal to `3`, then the `principal.labels.value` UDM field is set to `3 - Right Down`. Else, if the `input.match.event.clickType` log field value is equal to `4`, then the `principal.labels.value` UDM field is set to `4 - Right Up`.
`input.match.event.clickType`	`additional.fields[input_match_event_click_type]`	If the `input.match.event.clickType` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - Other`. Else, if the `input.match.event.clickType` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Left Down`. Else, if the `input.match.event.clickType` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `2 - Left Up`. Else, if the `input.match.event.clickType` log field value is equal to `3`, then the `additional.fields.value.string_value` UDM field is set to `3 - Right Down`. Else, if the `input.match.event.clickType` log field value is equal to `4`, then the `additional.fields.value.string_value` UDM field is set to `4 - Right Up`.
`input.match.event.composedMessage`	`principal.labels[input_match_event_composed_message]` (deprecated)
`input.match.event.composedMessage`	`additional.fields[input_match_event_composed_message]`
`input.match.event.dev`	`principal.labels[input_match_event_dev]` (deprecated)
`input.match.event.dev`	`additional.fields[input_match_event_dev]`
`input.match.event.eventID`	`principal.labels[input_match_event_eventID]` (deprecated)
`input.match.event.eventID`	`additional.fields[input_match_event_eventID]`
`input.match.event.gid`	`principal.user.group_identifiers`
`input.match.event.iNode`	`target.file.stat_inode`
`input.match.event.matchType`	`principal.labels[input_match_event_match_type]` (deprecated)
`input.match.event.matchType`	`additional.fields[input_match_event_match_type]`
`input.match.event.matchValue`	`security_result.threat_name`	If the `input.match.event.matchType` log field value is not empty, then the `input.match.event.matchValue` log field is mapped to the `security_result.threat_name` UDM field.
`input.match.event.name`	`about.labels[input_match_event_name]` (deprecated)
`input.match.event.name`	`additional.fields[input_match_event_name]`
`input.match.facts.name`	`metadata.description`	If the `index` value is equal to `0`, then the `input.match.facts.name` log field is mapped to the `metadata.description` UDM field.
`input.match.event.path`	`target.process.file.full_path`
`input.match.event.pid`	`principal.process.pid`
`input.match.event.prevFile`	`src.file.full_path`	If the `input.match.event.prevFile` log field value is not empty, then the `input.match.event.prevFile` log field is mapped to the `src.file.full_path` UDM field.
`input.match.event.process`	`principal.process.file.names`
`input.match.event.process.args`	`target.process.command_line_history`
`input.match.event.process.gid`	`target.group.product_object_id`
`input.match.event.process.name`	`target.process.file.names`
`input.match.event.process.originalParentPID`	`target.process.parent_process.pid`
`input.match.event.process.path`	`target.process.file.full_path`
`input.match.event.process.pgid`	`target.labels[input_match_event_processes_pgid]` (deprecated)
`input.match.event.process.pgid`	`additional.fields[input_match_event_processes_pgid]`
`input.match.event.process.pid`	`target.process.pid`
`input.match.event.process.ppid`	`target.labels[input_match_event_process_ppid]` (deprecated)
`input.match.event.process.ppid`	`additional.fields[input_match_event_process_ppid]`
`input.match.event.process.responsiblePID`	`target.labels[input_match_event_process_responsible_pid]` (deprecated)
`input.match.event.process.responsiblePID`	`additional.fields[input_match_event_process_responsible_pid]`
`input.match.event.process.rgid`	`target.labels[input_match_event_process_rgid]` (deprecated)
`input.match.event.process.rgid`	`additional.fields[input_match_event_process_rgid]`
`input.match.event.process.ruid`	`target.labels[input_match_event_process_ruid]` (deprecated)
`input.match.event.process.ruid`	`additional.fields[input_match_event_process_ruid]`
`input.match.event.process.signingInfo.appid`	`target.user.attribute.labels [input_match_event_process_sign_appid]`
`input.match.event.process.signingInfo.authorities`	`target.user.attribute.permissions`
`input.match.event.process.signingInfo.cdhash`	`target.user.attribute.labels [input_match_event_process_sign_cdhash]`
`input.match.event.process.signingInfo.entitlements`	`target.user.attributes.permissions`
`input.match.event.process.signingInfo.signerType`	`target.user.attribute.labels [input_match_event_process_sign_signer_type]`	If the `input.related.process.signingInfo.signerType` log field value is equal to `0`, then the `target.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `1`, then the `target.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `2`, then the `target.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `3`, then the `target.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.process.signingInfo.signerType` log field value is equal to `4`, then the `target.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.match.event.process.signingInfo.status`	`target.user.attribute.labels [input_match_event_process_sign_status]`
`input.match.event.process.signingInfo.statusMessage`	`target.labels[input_match_event_process_sign_status_message]` (deprecated)
`input.match.event.process.signingInfo.statusMessage`	`additional.fields[input_match_event_process_sign_status_message]`
`input.match.event.process.signingInfo.teamid`	`target.user.group_identifiers`
`input.match.event.process.startTimestamp`	`target.labels[input_match_event_process_start_time_stamp]` (deprecated)
`input.match.event.process.startTimestamp`	`additional.fields[input_match_event_process_start_time_stamp]`
`input.match.event.process.uid`	`target.labels[input_match_event_process_uid]` (deprecated)
`input.match.event.process.uid`	`additional.fields[input_match_event_process_uid]`
`input.match.event.process.uuid`	`target.process.product_specific_process_id`	The `Process Uuid: input.match.event.process.uuid` log field is mapped to the `target.process.product_specific_process_id` UDM field.
`input.match.event.processIdentifier`	`target.process.pid`
`input.match.event.processImagePath`	`target.process.file.full_path`
`input.match.event.rateLimitingSecs`	`principal.labels[input_match_event_rate_limiting_secs]` (deprecated)
`input.match.event.rateLimitingSecs`	`additional.fields[input_match_event_rate_limiting_secs]`
`input.match.event.scriptPath`	`principal.labels[input_match_event_script_path]` (deprecated)
`input.match.event.scriptPath`	`additional.fields[input_match_event_script_path]`
`input.match.event.sender`	`principal.labels[input_match_event_sender]` (deprecated)
`input.match.event.sender`	`additional.fields[input_match_event_sender]`
`input.match.event.senderImagePath`	`principal.labels[input_match_event_sender_image_path]` (deprecated)
`input.match.event.senderImagePath`	`additional.fields[input_match_event_sender_image_path]`
`input.match.event.subsystem`	`principal.labels[input_match_event_subsystem]` (deprecated)
`input.match.event.subsystem`	`additional.fields[input_match_event_subsystem]`
`input.match.event.subType`	`principal.labels[input_match_event_sub_type]` (deprecated)	If the `input.match.event.subType` log field value is equal to `7`, then the `principal.labels.value` UDM field is set to `7 - Exec`. Else, if the `input.match.event.subType` log field value is equal to `2`, then the `principal.labels.value` UDM field is set to `2 - Fork`. Else, if the `input.match.event.subType` log field value is equal to `1`, then the `principal.labels.value` UDM field is set to `1 - Exit`. Else, if the `input.match.event.subType` log field value is equal to `23`, then the `principal.labels.value` UDM field is set to `23 - Execve`. Else, if the `input.match.event.subType` log field value is equal to `43190`, then the `principal.labels.value` UDM field is set to `43190 - Posix Spawn`.
`input.match.event.subType`	`additional.fields[input_match_event_sub_type]`	If the `input.match.event.subType` log field value is equal to `7`, then the `additional.fields.value.string_value` UDM field is set to `7 - Exec`. Else, if the `input.match.event.subType` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `2 - Fork`. Else, if the `input.match.event.subType` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Exit`. Else, if the `input.match.event.subType` log field value is equal to `23`, then the `additional.fields.value.string_value` UDM field is set to `23 - Execve`. Else, if the `input.match.event.subType` log field value is equal to `43190`, then the `additional.fields.value.string_value` UDM field is set to `43190 - Posix Spawn`.
`input.match.event.tags`	`security_result.rule_labels [input_match_event_tags]`
`input.match.event.targetpid`	`target.process.pid`
`input.match.event.timestamp`	`metadata.event_timestamp`
`input.match.event.type`	`target.labels[input_match_event_type]` (deprecated)	If the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `0`, then the `target.labels.value` UDM field is set to `0 - Created`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `1`, then the `target.labels.value` UDM field is set to `1 - Deleted`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `3`, then the `target.labels.value` UDM field is set to `3 - Renamed`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `4`, then the `target.labels.value` UDM field is set to `4 - Modified`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `7`, then the `target.labels.value` UDM field is set to `7 - Created Dir`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `0`, then the `target.labels.value` UDM field is set to `0 - None`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `1`, then the `target.labels.value` UDM field is set to `1 - Create`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `2`, then the `target.labels.value` UDM field is set to `0 - Exit`.
`input.match.event.type`	`additional.fields[input_match_event_type]`	If the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - Created`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Deleted`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `3`, then the `additional.fields.value.string_value` UDM field is set to `3 - Renamed`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `4`, then the `additional.fields.value.string_value` UDM field is set to `4 - Modified`. Else, if the `input.eventType` log field value is equal to `GPFSEvent` and the `input.match.event.type` log field value is equal to `7`, then the `additional.fields.value.string_value` UDM field is set to `7 - Created Dir`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `0`, then the `additional.fields.value.string_value` UDM field is set to `0 - None`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `1`, then the `additional.fields.value.string_value` UDM field is set to `1 - Create`. Else, if the `input.eventType` log field value is equal to `GPProcessEvent` and the `input.match.event.type` log field value is equal to `2`, then the `additional.fields.value.string_value` UDM field is set to `0 - Exit`.
`input.match.event.uid`	`principal.user.userid`
`input.match.event.uuid`	`about.labels[input_match_event_uuid]` (deprecated)
`input.match.event.uuid`	`additional.fields[input_match_event_uuid]`
`input.match.facts.actions.name`	`security_result.action_details`	If the `index` value is equal to `0`, then the `input.match.facts.actions.name` log field is mapped to the `security_result.action_details` UDM field. Else, the `input.match.facts.actions.name` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.match.facts.actions.parameters.id`	`security_result.detection_fields [input_match_facts_actions_parameters_id]`
`input.match.facts.actions.parameters.message`	`security_result.detection_fields [input_match_facts_actions_parameters_message]`
`input.match.facts.actions.parameters.title`	`security_result.detection_fields [input_match_facts_actions_parameters_title]`
`input.match.facts.context.name`	`security_result.detection_fields.key`
`input.match.facts.context.value`	`security_result.detection_fields.value [Name]`
`input.match.facts.context.valueType`
`input.match.facts.human`	`security_result.action`	If the `input.match.facts.human` log field value is matched with regex `(?i)blocked`, then the `security_result.action` UDM field is set to `BLOCK`.
`input.match.facts.human`	`security_result.description`	If the `index` value is equal to `0`, then the `input.match.facts.human` log field is mapped to the `security_result.description` UDM field. Else, the `input.match.facts.human` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.facts.name`	`security_result.summary`	If the `index` value is equal to `0`, then the `input.match.facts.name` log field is mapped to the `security_result.summary` UDM field. Else, the `input.match.facts.name` log field is mapped to the `security_result.detection_fields.value` UDM field.
`input.match.facts.severity`	`security_result.detection_fields [input_match_facts_severity]`
`input.match.facts.tags`	`security_result.rule_labels [input_match_facts_tags]`
`input.match.facts.uuid`	`about.labels [input_match_facts_uuid]`
`input.match.facts.version`	`about.labels [input_match_facts_version]`
`input.match.severity`	`security_result.severity`	If the `severity` log field value is equal to `0`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, if the `severity` log field value is equal to `1`, then the `security_result.severity` UDM field is set to `LOW`. Else, if the `severity` log field value is equal to `2`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value is equal to `3`, then the `security_result.severity` UDM field is set to `HIGH`.
`input.match.tags`	`security_result.rule_labels [input_match_tags]`
`input.match.uuid`	`metadata.product_log_id`
`input.related.binaries.accessed`	`security_result.about.labels [input_related_binaries_accessed]`
`input.related.binaries.changed`	`security_result.about.labels [input_related_binaries_changed]`
`input.related.binaries.created`	`security_result.about.file.first_seen_time`	If the `index` value is equal to `0`, then the `input.related.binaries.created` log field is mapped to the `security_result.about.file.first_seen_time` UDM field. Else, the `input.related.binaries.created` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.fsid`	`security_result.about.labels [input_related_binaries_fsid]`
`input.related.binaries.gid`	`security_result.about.labels [input_related_binaries_gid]`
`input.related.binaries.inode`	`security_result.about.file.stat_inode`	If the `index` value is equal to `0`, then the `input.related.binaries.inode` log field is mapped to the `security_result.about.file.stat_inode` UDM field. Else, the `input.related.binaries.inode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.isAppBundle`	`security_result.about.labels [isAppBundle]`
`input.related.binaries.isDirectory`	`security_result.about.labels [isDirectory]`
`input.related.binaries.isDownload`	`security_result.about.labels [isDownload]`
`input.related.binaries.isScreenShot`	`security_result.about.labels [isScreenShot]`
`input.related.binaries.mode`	`security_result.about.file.stat_mode`	If the `index` value is equal to `0`, then the `input.related.binaries.mode` log field is mapped to the `security_result.about.file.stat_mode` UDM field. Else, the `input.related.binaries.mode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.modified`	`security_result.about.file.last_modification_time`	If the `index` value is equal to `0`, then the `input.related.binaries.modified` log field is mapped to the `security_result.about.file.last_modification_time` UDM field. Else, the `input.related.binaries.modified` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.path`	`security_result.about.file.full_path`	If the `index` value is equal to `0`, then the `input.related.binaries.path` log field is mapped to the `security_result.about.file.full_path` UDM field. Else, the `input.related.binaries.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.sha1hex`	`security_result.about.file.sha1`	If the `index` value is equal to `0`, then the `input.related.binaries.sha1hex` log field is mapped to the `security_result.about.file.sha1` UDM field. Else, the `input.related.binaries.sha1hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.sha256hex`	`security_result.about.file.sha256`	If the `index` value is equal to `0`, then the `input.related.binaries.sha256hex` log field is mapped to the `security_result.about.file.sha256` UDM field. Else, the `input.related.binaries.sha256hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.binaries.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.binaries.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.signingInfo.authorities`	`security_result.about.user.attribute.permissions`
`input.related.binaries.signingInfo.cdhash`	`security_result.about.labels [input_related_binaries_sign_cdhash]`
`input.related.binaries.signingInfo.entitlements`	`security_result.about.user.attribute.permisisons`
`input.related.binaries.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type]`	If the `input.related.binaries.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.binaries.signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.binaries.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_binaries_sign_status]`
`input.related.binaries.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_processes_sign_status_message]`
`input.related.binaries.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.binaries.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.binaries.signingInfo.teamid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.binaries.size`	`security_result.about.file.size`	If the `index` value is equal to `0`, then the `input.related.binaries.size` log field is mapped to the `security_result.about.file.size` UDM field. Else, the `input.related.binaries.size` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.binaries.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.binaries.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.binaries.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.binaries.xattrs`	`security_result.about.user.attribute.labels [input_related_binaries_xattrs]`
`input.related.files.accessed`	`security_result.about.labels [input_related_files_accessed]`
`input.related.files.changed`	`security_result.about.labels [input_related_files_changed]`
`input.related.files.created`	`security_result.about.labels [input_related_files_created]`
`input.related.files.downloadedFrom`	`security_result.about.labels [input_related_files_downloaded_from]`
`input.related.files.fsid`	`security_result.about.labels [input_related_files_downloaded_fsid]`
`input.related.files.gid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.files.gid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.files.gid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.inode`	`security_result.about.file.stat_inode`	If the `index` value is equal to `0`, then the `input.related.files.inode` log field is mapped to the `security_result.about.file.stat_inode` UDM field. Else, the `input.related.files.inode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.isAppBundle`	`security_result.about.labels [input_related_files_downloaded_is_app_bundle]`
`input.related.files.isDirectory`	`security_result.about.labels [input_related_files_is_directory]`
`input.related.files.isDownload`	`security_result.about.labels [input_related_files_is_download]`
`input.related.files.isScreenShot`	`security_result.about.labels [input_related_files_is_screenshot]`
`input.related.files.mode`	`security_result.about.file.stat_mode`	If the `index` value is equal to `0`, then the `input.related.files.mode` log field is mapped to the `security_result.about.file.stat_mode` UDM field. Else, the `input.related.files.mode` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.modified`	`security_result.about.file.last_modification_time`	If the `index` value is equal to `0`, then the `input.related.files.modified` log field is mapped to the `security_result.about.file.last_modification_time` UDM field. Else, the `input.related.files.modified` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.path`	`security_result.about.file.full_path`	If the `index` value is equal to `0`, then the `input.related.files.path` log field is mapped to the `security_result.about.file.full_path` UDM field. Else, the `input.related.files.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.sha1hex`	`security_result.about.file.sha1`	If the `index` value is equal to `0`, then the `input.related.files.sha1hex` log field is mapped to the `security_result.about.file.sha1` UDM field. Else, the `input.related.files.sha1hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.sha256hex`	`security_result.about.file.sha256`	If the `index` value is equal to `0`, then the `input.related.files.sha256hex` log field is mapped to the `security_result.about.file.sha256` UDM field. Else, the `input.related.files.sha256hex` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.files.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.files.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.signingInfo.authorities`	`security_result.about.user.attribute.permissions`
`input.related.files.signingInfo.cdhash`	`security_result.about.labels [[input_related_files_sign_cdhash]`
`input.related.files.signingInfo.entitlements`	`security_result.about.user.attribute.permissions`
`input.related.files.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type]`	If the `input.related.files.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.files.signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.files.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_files_signing_info_status]`
`input.related.files.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_files_signing_info_status_message]`
`input.related.files.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.files.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.files.signingInfo.teamid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.files.size`	`security_result.about.file.size`	If the `index` value is equal to `0`, then if the `input.related.files.size` log field value is not equal to `0`, then the `input.related.files.size` log field is mapped to the `security_result.about.file.size` UDM field. Else, the `input.related.files.size` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.files.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.files.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.files.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.files.xattrs`	`security_result.about.labels [input_related_files_xattrs]`
`input.related.groups.gid`	`security_result.about.group.attribute.labels [input_related_groups_gid]`
`input.related.groups.name`	`security_result.about.group.group_display_name`	If the `index` value is equal to `0`, then the `input.related.groups.name` log field is mapped to the `security_result.about.group.group_display_name` UDM field. Else, the `input.related.groups.name` log field is mapped to the `security_result.about.group.attribute.labels.value` UDM field.
`input.related.groups.uuid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.groups.uuid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.groups.uuid` log field is mapped to the `security_result.about.group.attribute.labels.value` UDM field.
`input.related.processes.appPath`	`security_result.about.labels [input_related_processes_app_path]`
`input.related.processes.args`	`security_result.about.process.command_line_history`
`input.related.processes.exitCode`	`security_result.about.labels [input_related_processes_exit_code]`
`input.related.processes.gid`	`security_result.about.group.product_object_id`	If the `index` value is equal to `0`, then the `input.related.processes.gid` log field is mapped to the `security_result.about.group.product_object_id` UDM field. Else, the `input.related.processes.gid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.name`	`security_result.about.process.file.names`
`input.related.processes.originalParentPID`	`security_result.about.process.parent_process.pid`	If the `index` value is equal to `0`, then the `input.related.processes.originalParentPID` log field is mapped to the `security_result.about.process.parent_process.pid` UDM field. Else, the `input.related.processes.originalParentPID` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.path`	`security_result.about.process.file.full_path`	If the `index` value is equal to `0`, then the `input.related.processes.path` log field is mapped to the `security_result.about.process.file.full_path` UDM field. Else, the `input.related.processes.path` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.pgid`	`security_result.about.labels [input_related_process_pgid]`
`input.related.processes.pid`	`security_result.about.process.pid`	If the `index` value is equal to `0`, then the `input.related.processes.pid` log field is mapped to the `security_result.about.process.pid` UDM field. Else, the `input.related.processes.pid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.ppid`	`security_result.about.labels [input_related_processes_ppid]`
`input.related.processes.responsiblePID`	`security_result.about.labels [input_related_processes_responsible_pid]`
`input.related.processes.rgid`	`security_result.about.labels [input_related_processes_rgid]`
`input.related.processes.ruid`	`security_result.about.labels [input_related_processes_ruid]`
`input.related.processes.signingInfo.appid`	`security_result.about.application`	If the `index` value is equal to `0`, then the `input.related.processes.signingInfo.appid` log field is mapped to the `security_result.about.application` UDM field. Else, the `input.related.processes.signingInfo.appid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.signingInfo.authorities`	`security_result.about.user.attributes.permission`
`input.related.processes.signingInfo.cdhash`	`security_result.about.user.attribute.labels [input_related_processes_sign_cdhash]`
`input.related.processes.signingInfo.entitlements`	`security_result.about.user.attributes.permission`
`input.related.processes.signingInfo.signerType`	`security_result.about.user.attribute.labels [input_related_processes_sign_signer_type]`	If the `input.related.processes.signingInfo.signerType` log field value is equal to `0`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `0 - Apple`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `1`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `1 - App Store`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `2`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `2 - Developer`. Else, if the `input.related.processes.signingInfo.signerType` log field value is equal to `3`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `3 - Ad Hoc`. Else, if the `input.related.processes .signingInfo.signerType` log field value is equal to `4`, then the `security_result.about.user.attribute.labels.value` UDM field is set to `4 - Unsigned`.
`input.related.processes.signingInfo.status`	`security_result.about.user.attribute.labels [input_related_processes_sign_status]`
`input.related.processes.signingInfo.statusMessage`	`security_result.about.user.attribute.labels [input_related_processes_sign_status_message]`
`input.related.processes.signingInfo.teamid`	`security_result.about.user.group_identifiers`	If the `index` value is equal to `0`, then the `input.related.processes.signingInfo.teamid` log field is mapped to the `security_result.about.user.group_identifiers` UDM field. Else, the `input.related.processes.signingInfo.teamid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.processes.startTimestamp`	`security_result.about.labels [input_related_processes_start_time_stamp]`
`input.related.processes.tty`	`security_result.about.labels [input_related_processes_tty]`
`input.related.processes.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.processes.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.processes.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.processes.uuid`	`security_result.about.process.product_specific_process_id`	If the `index` value is equal to `0`, then the `Process Uuid: input.related.processes.uuid` log field is mapped to the `security_result.about.process.product_specific_process_id` UDM field. Else, the `input.related.processes.uuid` log field is mapped to the `security_result.about.labels.value` UDM field.
`input.related.users.name`	`security_result.about.user.user_display_name`	If the `index` value is equal to `0`, then the `input.related.users.name` log field is mapped to the `security_result.about.user.user_display_name` UDM field. Else, the `input.related.users.name` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.users.uid`	`security_result.about.user.userid`	If the `index` value is equal to `0`, then the `input.related.users.uid` log field is mapped to the `security_result.about.user.userid` UDM field. Else, the `input.related.users.uid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`input.related.users.uuid`	`security_result.about.user.product_object_id`	If the `index` value is equal to `0`, then the `input.related.users.uuid` log field is mapped to the `security_result.about.user.product_object_id` UDM field. Else, the `input.related.users.uuid` log field is mapped to the `security_result.about.user.attribute.labels.value` UDM field.
`key`	`about.labels[key]` (deprecated)
`key`	`additional.fields[key]`
`path`	`target.file.full_path`	If the `index` value is equal to `0`, then the `path` log field is mapped to the `target.file.full_path` UDM field. Else, the `path` log field is mapped to the `target.labels.value` UDM field.
`queue`	`principal.labels[queue]` (deprecated)
`queue`	`additional.fields[queue]`
`region`	`principal.location.name`
`timestamp`	`metadata.creation_timestamp`
`topic`	`about.labels[topic]` (deprecated)
`topic`	`additional.fields[topic]`
`topicType`	`about.labels[topicType]` (deprecated)
`topicType`	`additional.fields[topicType]`
`version`	`metadata.product_version`
	`is_alert`	The `is_alert` UDM field is set to `TRUE`.
	`is_significant`	The `is_significant` UDM field is set to `TRUE`.
`input.eventType`	`metadata.event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `JAMF_PROTECT`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `JAMF`.
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `STORAGE_BUCKET`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `STORAGE_BUCKET`.
`input.match.event.options`	`about.labels[input_match_event_options]` (deprecated)
`input.match.event.options`	`additional.fields[input_match_event_options]`
`input.match.event.sourcePID`	`principal.process.pid`
`input.match.event.destinationPID`	`target.process.pid`
`image.match.event.detection`	`security_result.detection_fields [image_match_event_detection]`
`input.match.type`	`target.asset.attribute.labels [input_match_type]`	If the `input.match.type` log field value is equal to `0`, then the `target.asset.attribute.labels.value` UDM field is set to `0 - Device Inserted`. Else, if the `input.match.type` log field value is equal to `1`, then the `target.asset.attribute.labels.value` UDM field is set to `1 - Device Removed`.
`input.match.usbAddress`	`target.asset.attribute.labels [input_match_usb_address]`
`input.match.event.device.mediaPath`	`target.asset.attribute.labels [input_match_device_media_path]`
`input.match.event.device.protocol`	`target.asset.attribute.labels [input_match_device_protocol]`
`input.match.event.device.deviceModel`	`target.asset.hardware.model`
`input.match.event.device.isRemovable`	`target.asset.attribute.labels [input_match_device_is_removable]`
`input.match.event.device.mediaName`	`target.asset.attribute.labels [input_match_device_media_name]`
`input.match.event.device.bsdMinor`	`target.asset.attribute.labels [input_match_device_bsd_minor]`
`input.match.event.device.vendorName`	`target.asset.software.vendor_name`
`input.match.event.device.isWhole`	`target.asset.attribute.labels [input_match_device_is_whole]`
`input.match.event.device.unit`	`target.asset.attribute.labels [input_match_device_unit]`
`input.match.event.device.deviceSubclass`	`target.asset.attribute.labels [input_match_device_subclass]`
`input.match.event.device.serialNumber`	`target.asset.hardware.serial`
`input.match.event.device.bsdUnit`	`target.asset.attribute.labels [input_match_device_bsd_unit]`
`input.match.event.device.busPath`	`target.asset.attribute.labels [input_match_device_bus_path]`
`input.match.event.device.isLeaf`	`target.asset.attribute.labels [input_match_device_is_leaf]`
`input.match.event.device.isInternal`	`target.asset.attribute.labels [input_match_device_is_internal]`
`input.match.event.device.busName`	`target.asset.attribute.labels [input_match_device_bus_name]`
`input.match.event.device.bsdMajor`	`target.asset.attribute.labels [input_match_device_bsd_major]`
`input.match.event.device.isEjectable`	`target.asset.attribute.labels [input_match_device_is_ejectable]`
`input.match.event.device.isEncrypted`	`target.asset.attribute.labels [input_match_device_is_encrypted]`
`input.match.event.device.isEncryptable`	`target.asset.attribute.labels [input_match_device_is_encryptable]`
`input.match.event.device.devicePath`	`target.asset.attribute.labels [input_match_device_path]`
`input.match.event.device.bsdName`	`target.asset.attribute.labels [input_match_device_bsd_name]`
`input.match.event.device.vendorId`	`target.asset.attribute.labels [input_match_device_vendor_id]`
`input.match.event.device.content`	`target.asset.attribute.labels [input_match_device_content]`
`input.match.event.device.revision`	`target.asset.attribute.labels [input_match_device_revision]`
`input.match.event.device.size`	`target.asset.attribute.labels [input_match_device_size]`
`input.match.event.device.isNetworkVolume`	`target.asset.attribute.labels [input_match_device_is_network_volume]`
`input.match.event.device.blocksize`	`target.asset.attribute.labels [input_match_device_block_size]`
`input.match.event.device.productName`	`target.asset.attribute.labels [input_match_device_product_name]`
`input.match.event.device.mediaKind`	`target.asset.attribute.labels [input_match_device_media_kind]`
`input.match.event.device.isWritable`	`target.asset.attribute.labels [input_match_device_is_writable]`
`input.match.event.device.productId`	`target.asset.product_object_id`
`input.match.event.device.productId`	`target.asset.asset_id`	The `Asset Id: input.match.event.device.productId` log field is mapped to the `target.asset.asset_id` UDM field.
`input.match.event.device.deviceClass`	`target.asset.category`
`input.match.event.device.encryptionDetail`	`target.asset.attribute.labels [input_match_device_encryption_detail]`
`input.match.event.device.volumeKind`	`target.asset.attribute.labels [input_match_event_device_volume_kind]`
`input.match.event.device.volumeName`	`target.asset.attribute.labels [input_match_event_device_volume_name]`
`input.match.event.device.volumeType`	`target.asset.attribute.labels [input_match_event_device_volume_type]`
`input.match.event.device.isMountable`	`target.asset.attribute.labels [input_match_event_device_is_mountable]`
`input.match.event.device.encryptionDetail`	`target.asset.attribute.labels [input_match_event_device_encryption_detail]`
`input.match.event.fsid`	`principal.labels [input_match_event_fsid]`
`input.match.event.bfree`	`principal.labels[input_match_event_bfree]` (deprecated)
`input.match.event.bfree`	`additional.fields[input_match_event_bfree]`
`input.match.event.bsize`	`principal.labels[input_match_event_bsize]` (deprecated)
`input.match.event.bsize`	`additional.fields[input_match_event_bsize]`
`input.match.event.ffree`	`principal.labels[input_match_event_ffree]` (deprecated)
`input.match.event.ffree`	`additional.fields[input_match_event_ffree]`
`input.match.event.files`	`principal.labels[input_match_event_files]` (deprecated)
`input.match.event.files`	`additional.fields[input_match_event_files]`
`input.match.event.flags`	`principal.labels[input_match_event_flags]` (deprecated)
`input.match.event.flags`	`additional.fields[input_match_event_flags]`
`input.match.event.owner`	`principal.user.user_display_name`
`input.match.event.bavail`	`principal.labels[input_match_event_bvail]` (deprecated)
`input.match.event.bavail`	`additional.fields[input_match_event_bvail]`
`input.match.event.blocks`	`principal.labels[input_match_event_blocks]` (deprecated)
`input.match.event.blocks`	`additional.fields[input_match_event_blocks]`
`input.match.event.iosize`	`principal.labels[input_match_event_iosize]` (deprecated)
`input.match.event.iosize`	`additional.fields[input_match_event_iosize]`
`input.match.event.version`	`principal.labels[input_match_event_version]` (deprecated)
`input.match.event.version`	`additional.fields[input_match_event_version]`
`input.match.event.deadline`	`principal.labels[input_match_event_deadline]` (deprecated)
`input.match.event.deadline`	`additional.fields[input_match_event_deadline]`
`input.match.event.flagsExt`	`principal.labels[input_match_event_flags_ext]` (deprecated)
`input.match.event.flagsExt`	`additional.fields[input_match_event_flags_ext]`
`input.match.event.fsSubType`	`principal.labels[input_match_event_fs_subtype]` (deprecated)
`input.match.event.fsSubType`	`additional.fields[input_match_event_fs_subtype]`
`input.match.event.mntOnName`	`principal.labels[input_match_event_mnt_on_name]` (deprecated)
`input.match.event.mntOnName`	`additional.fields[input_match_event_mnt_on_name]`
`input.match.event.fsTypeName`	`principal.labels[input_match_event_fs_type_name]` (deprecated)
`input.match.event.fsTypeName`	`additional.fields[input_match_event_fs_type_name]`
`input.match.event.isReadOnly`	`principal.labels[input_match_event_is_read_only]` (deprecated)
`input.match.event.isReadOnly`	`additional.fields[input_match_event_is_read_only]`
`input.match.event.mntFromName`	`principal.labels[input_match_event_mnt_from_name]` (deprecated)
`input.match.event.mntFromName`	`additional.fields[input_match_event_mnt_from_name]`
`input.match.event.machTimestamp`	`principal.labels[input_match_event_mach_timestamp]` (deprecated)
`input.match.event.machTimestamp`	`additional.fields[input_match_event_mach_timestamp]`
`input.match.event.sequenceNumber`	`principal.labels[input_match_event_seq_number]` (deprecated)
`input.match.event.sequenceNumber`	`additional.fields[input_match_event_seq_number]`
`input.match.event.globalSequenceNumber`	`principal.labels[input_match_event_global_seq_number]` (deprecated)
`input.match.event.globalSequenceNumber`	`additional.fields[input_match_event_global_seq_number]`

后续步骤

将数据注入到 Google Security Operations 中