Mengumpulkan log Jamf Protect
Dokumen ini menjelaskan cara mengumpulkan log Jamf Protect dengan menyiapkan feed Google Security Operations dan cara kolom log dipetakan ke kolom Unified Data Model (UDM) Google Security Operations. Dokumen ini juga mencantumkan versi Jamf Protect yang didukung.
Untuk mengetahui informasi selengkapnya, lihat Penambahan data ke Google Security Operations.
Deployment umum terdiri dari Jamf Protect dan feed Google Security Operations yang dikonfigurasi untuk mengirim log ke Google Security Operations. Setiap deployment pelanggan dapat berbeda dan mungkin lebih kompleks.
Deployment berisi komponen berikut:
Jamf Protect. Platform Jamf Protect tempat Anda mengumpulkan log.
Feed Google Security Operations. Feed Google Security Operations yang mengambil log dari Jamf Protect dan menulis log ke Google Security Operations.
Google Security Operations. Google Security Operations menyimpan dan menganalisis log dari Jamf Protect.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah
ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser
dengan label transfer JAMF_PROTECT
Sebelum memulai
- Pastikan Anda telah menyiapkan Jamf Protect.
- Pastikan Anda menggunakan Jamf Protect versi 4.0.0 atau yang lebih baru.
- Pastikan semua sistem dalam arsitektur deployment dikonfigurasi dengan zona waktu UTC.
Mengonfigurasi feed di Google Security Operations untuk menyerap log Jamf Protect
Anda dapat menggunakan Amazon S3 atau webhook untuk menyiapkan feed penyerapan di Google Security Operations, tetapi sebaiknya gunakan Amazon S3.
Menyiapkan feed penyerapan di Google SecOps menggunakan Amazon S3
- Buka Setelan SIEM > Feed.
- Klik Add New.
- Pilih Amazon S3 sebagai Source type.
- Untuk membuat feed untuk Jamf Protect, pilih Jamf Protect sebagai Jenis log.
- Klik Berikutnya.
- Simpan feed, lalu Kirim.
- Salin ID Feed dari nama feed yang akan digunakan di Jamf Protect.
Menyiapkan feed transfer di Google SecOps menggunakan webhook
- Buka Setelan SIEM > Feed.
- Klik Tambahkan baru.
- Di kolom Nama feed, masukkan nama untuk feed.
- Dalam daftar Source type, pilih Webhook.
- Untuk membuat feed untuk Jamf Protect, pilih Jamf Protect sebagai Jenis log.
- Klik Berikutnya.
- Opsional: Tentukan nilai untuk parameter input berikut:
- Pemisah pemisahan: pembatas yang digunakan untuk memisahkan baris log, seperti
. - Namespace aset: namespace aset.
- Label penyerapan: label yang akan diterapkan ke peristiwa dari feed ini.
- Pemisah pemisahan: pembatas yang digunakan untuk memisahkan baris log, seperti
- Klik Berikutnya.
- Tinjau konfigurasi feed baru Anda di layar Finalize, lalu klik Submit.
- Klik Buat Kunci Rahasia untuk membuat kunci rahasia guna mengautentikasi feed ini.
- Salin dan simpan Kunci rahasia. Anda tidak dapat melihat kunci rahasia ini lagi. Jika perlu, Anda dapat membuat ulang kunci rahasia baru, tetapi tindakan ini akan membuat kunci rahasia sebelumnya tidak berlaku lagi.
- Di tab Detail, salin URL endpoint feed dari kolom Endpoint Information. Anda memerlukan URL HTTPS ini untuk menyiapkan aplikasi klien Jamf Protect.
- Klik Selesai.
Membuat kunci API untuk feed webhook
Buka Konsol Google Cloud > Kredensial.
Klik Create credentials, lalu pilih API key.
Batasi akses kunci API ke Google Security Operations API.
Menyiapkan Jamf Protect untuk feed webhook
- Di aplikasi Jamf Protect, buka Konfigurasi tindakan terkait.
- Untuk menambahkan endpoint Data baru, klik Buat Tindakan.
- Pilih HTTP sebagai protokol.
- Masukkan URL HTTPS endpoint Google Security Operations API di kolom URL. (Ini adalah kolom Endpoint Information yang Anda salin dari penyiapan feed webhook. Sudah dalam format yang diperlukan.)
Aktifkan autentikasi dengan menentukan Kunci API dan Kunci secret sebagai bagian dari header kustom dalam format berikut:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRET
Rekomendasi: Tentukan kunci API sebagai header, bukan menentukannya di URL. Jika klien webhook Anda tidak mendukung header kustom, Anda dapat menentukan Kunci API dan Kunci rahasia menggunakan parameter kueri dalam format berikut:
Ganti kode berikut:
: URL endpoint feed.API_KEY
: Kunci API untuk mengautentikasi ke Google Security Operations.SECRET
: Kunci rahasia yang Anda buat untuk mengautentikasi feed.
Di bagian Collect Logs, pilih Alerts & Unified Logs.
Klik Kirim.
Untuk informasi selengkapnya tentang feed Google Security Operations, lihat dokumentasi feed Google Security Operations. Untuk mengetahui informasi tentang persyaratan untuk setiap jenis feed, lihat Konfigurasi feed menurut jenis.
Jika Anda mengalami masalah saat membuat feed, hubungi dukungan Google Security Operations.
Jenis log Jamf Protect yang didukung
Tabel berikut mencantumkan jenis log yang didukung parser Jamf Protect:
Jenis Peristiwa | Nama tampilan |
GPClickEvent | Peristiwa Klik Sintetis |
GPDownloadEvent | Download Peristiwa |
GPFSEvent | Peristiwa Sistem File |
GPGatekeeperEvent | Peristiwa Gatekeeper |
GPKeylogRegisterEvent | Peristiwa Keylogger |
GPMRTEvent | Memantau Peristiwa |
GPPreventedExecutionEvent | Peristiwa Daftar Pencegahan Kustom |
GPProcessEvent | Memproses Peristiwa |
GPThreatMatchExecEvent | Peristiwa Pencegahan Ancaman |
GPUSBEvent | Peristiwa USB |
GPUnifiedLogEvent | Peristiwa Log Terpadu |
Auth-mount | Peristiwa Kontrol Perangkat |
Referensi pemetaan kolom
Bagian ini menjelaskan cara parser Google Security Operations memetakan kolom Jamf Protect ke kolom Unified Data Model (UDM) Google Security Operations.
Referensi pemetaan kolom: ID Peristiwa ke Jenis Peristiwa
Tabel berikut mencantumkan jenis logJAMF_PROTECT
dan jenis peristiwa UDM yang sesuai.
Event Identifier | Event Type |
GPClickEvent |
GPDownloadEvent |
GPFSEvent |
GPGatekeeperEvent |
GPKeylogRegisterEvent |
GPMRTEvent |
GPPreventedExecutionEvent |
GPProcessEvent |
GPThreatMatchExecEvent |
GPUSBEvent |
GPUnifiedLogEvent |
GPScreenshotEvent |
Auth-mount |
Referensi pemetaan kolom: JAMF_PROTECT
Tabel berikut mencantumkan kolom log dari jenis logJAMF_PROTECT
dan kolom UDM yang sesuai.
Log field | UDM mapping | Logic |
about.platform |
The about.platform UDM field is set to MAC . |
caid |
about.labels[caid] (deprecated) |
caid |
additional.fields[caid] |
certid |
principal.asset.attribute.labels [certid] |
| |
principal.user.attribute.permissions.description |
| |
principal.user.attribute.labels [context_identity_claims_clientid] |
input.eventType |
metadata.product_event_type |
| |
principal.hostname |
| |
principal.ip |
| |
principal.platform_version |
| |
principal.asset.attribute.labels [input_host_protectversion] |
input.match.version |
additional.fields [input_match_version] |
input.match.facts.matchReason |
security_result.detection_fields [input_match_facts_matchreason] |
input.related.files.objectType |
additional.fields [input_related_files_objecttype] |
| |
principal.asset.product_object_id |
| |
principal.asset.hardware.serial_number |
| |
security_result.outcomes [input_match_actions_name] |
input.match.actions.parameters.message |
security_result.summary |
If the index value is equal to 0 , then the input.match.actions.parameters.message log field is mapped to the security_result.summary UDM field.Else, the input.match.actions.parameters.message log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.actions.parameters.title |
security_result.description |
If the index value is equal to 0 , then the input.match.actions.parameters.title log field is mapped to the security_result.description UDM field.Else, the input.match.actions.parameters.title log field is mapped to the security_result.detection_fields.value UDM field. | |
security_result.detection_fields.key |
input.match.context.value |
security_result.detection_fields.value [Name] |
input.match.context.valueType |
input.match.custom |
security_result.detection_fields [input_match_custom] |
input.match.event.blocked |
security_result.action |
If the input.match.event.blocked log field value is not empty, then the security_result.action UDM field is set to BLOCK . |, input.match.uuid |
security_result.url_back_to_product |
The security_result.url_back_to_product UDM field is set to . |
input.match.event.category |
security_result.category_details |
input.match.event.clickType |
principal.labels[input_match_event_click_type] (deprecated) |
If the input.match.event.clickType log field value is equal to 0 , then the principal.labels.value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the principal.labels.value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the principal.labels.value UDM field is set to 4 - Right Up . |
input.match.event.clickType |
additional.fields[input_match_event_click_type] |
If the input.match.event.clickType log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Right Up . |
input.match.event.composedMessage |
principal.labels[input_match_event_composed_message] (deprecated) |
input.match.event.composedMessage |
additional.fields[input_match_event_composed_message] |
| |
principal.labels[input_match_event_dev] (deprecated) |
| |
additional.fields[input_match_event_dev] |
input.match.event.eventID |
principal.labels[input_match_event_eventID] (deprecated) |
input.match.event.eventID |
additional.fields[input_match_event_eventID] |
input.match.event.gid |
principal.user.group_identifiers |
input.match.event.iNode |
target.file.stat_inode |
input.match.event.matchType |
principal.labels[input_match_event_match_type] (deprecated) |
input.match.event.matchType |
additional.fields[input_match_event_match_type] |
input.match.event.matchValue |
security_result.threat_name |
If the input.match.event.matchType log field value is not empty, then the input.match.event.matchValue log field is mapped to the security_result.threat_name UDM field. | |
about.labels[input_match_event_name] (deprecated) |
| |
additional.fields[input_match_event_name] |
| |
metadata.description |
If the index value is equal to 0 , then the log field is mapped to the metadata.description UDM field. |
input.match.event.path |
target.process.file.full_path |
| | |
input.match.event.prevFile |
src.file.full_path |
If the input.match.event.prevFile log field value is not empty, then the input.match.event.prevFile log field is mapped to the src.file.full_path UDM field. |
input.match.event.process |
principal.process.file.names |
input.match.event.process.args |
target.process.command_line_history |
input.match.event.process.gid | |
| |
target.process.file.names |
input.match.event.process.originalParentPID | |
input.match.event.process.path |
target.process.file.full_path |
input.match.event.process.pgid |
target.labels[input_match_event_processes_pgid] (deprecated) |
input.match.event.process.pgid |
additional.fields[input_match_event_processes_pgid] |
| | |
input.match.event.process.ppid |
target.labels[input_match_event_process_ppid] (deprecated) |
input.match.event.process.ppid |
additional.fields[input_match_event_process_ppid] |
input.match.event.process.responsiblePID |
target.labels[input_match_event_process_responsible_pid] (deprecated) |
input.match.event.process.responsiblePID |
additional.fields[input_match_event_process_responsible_pid] |
input.match.event.process.rgid |
target.labels[input_match_event_process_rgid] (deprecated) |
input.match.event.process.rgid |
additional.fields[input_match_event_process_rgid] |
input.match.event.process.ruid |
target.labels[input_match_event_process_ruid] (deprecated) |
input.match.event.process.ruid |
additional.fields[input_match_event_process_ruid] |
input.match.event.process.signingInfo.appid |
target.user.attribute.labels [input_match_event_process_sign_appid] |
input.match.event.process.signingInfo.authorities |
target.user.attribute.permissions |
input.match.event.process.signingInfo.cdhash |
target.user.attribute.labels [input_match_event_process_sign_cdhash] |
input.match.event.process.signingInfo.entitlements |
target.user.attributes.permissions |
input.match.event.process.signingInfo.signerType |
target.user.attribute.labels [input_match_event_process_sign_signer_type] |
If the input.related.process.signingInfo.signerType log field value is equal to 0 , then the target.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.process.signingInfo.signerType log field value is equal to 1 , then the target.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.process.signingInfo.signerType log field value is equal to 2 , then the target.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.process.signingInfo.signerType log field value is equal to 3 , then the target.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.process.signingInfo.signerType log field value is equal to 4 , then the target.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.match.event.process.signingInfo.status |
target.user.attribute.labels [input_match_event_process_sign_status] |
input.match.event.process.signingInfo.statusMessage |
target.labels[input_match_event_process_sign_status_message] (deprecated) |
input.match.event.process.signingInfo.statusMessage |
additional.fields[input_match_event_process_sign_status_message] |
input.match.event.process.signingInfo.teamid |
target.user.group_identifiers |
input.match.event.process.startTimestamp |
target.labels[input_match_event_process_start_time_stamp] (deprecated) |
input.match.event.process.startTimestamp |
additional.fields[input_match_event_process_start_time_stamp] |
input.match.event.process.uid |
target.labels[input_match_event_process_uid] (deprecated) |
input.match.event.process.uid |
additional.fields[input_match_event_process_uid] |
input.match.event.process.uuid |
target.process.product_specific_process_id |
The Process Uuid: input.match.event.process.uuid log field is mapped to the target.process.product_specific_process_id UDM field. |
input.match.event.processIdentifier | |
input.match.event.processImagePath |
target.process.file.full_path |
input.match.event.rateLimitingSecs |
principal.labels[input_match_event_rate_limiting_secs] (deprecated) |
input.match.event.rateLimitingSecs |
additional.fields[input_match_event_rate_limiting_secs] |
input.match.event.scriptPath |
principal.labels[input_match_event_script_path] (deprecated) |
input.match.event.scriptPath |
additional.fields[input_match_event_script_path] |
input.match.event.sender |
principal.labels[input_match_event_sender] (deprecated) |
input.match.event.sender |
additional.fields[input_match_event_sender] |
input.match.event.senderImagePath |
principal.labels[input_match_event_sender_image_path] (deprecated) |
input.match.event.senderImagePath |
additional.fields[input_match_event_sender_image_path] |
input.match.event.subsystem |
principal.labels[input_match_event_subsystem] (deprecated) |
input.match.event.subsystem |
additional.fields[input_match_event_subsystem] |
input.match.event.subType |
principal.labels[input_match_event_sub_type] (deprecated) |
If the input.match.event.subType log field value is equal to 7 , then the principal.labels.value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the principal.labels.value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the principal.labels.value UDM field is set to 43190 - Posix Spawn . |
input.match.event.subType |
additional.fields[input_match_event_sub_type] |
If the input.match.event.subType log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the additional.fields.value.string_value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the additional.fields.value.string_value UDM field is set to 43190 - Posix Spawn . |
input.match.event.tags |
security_result.rule_labels [input_match_event_tags] |
input.match.event.targetpid | |
input.match.event.timestamp |
metadata.event_timestamp |
input.match.event.type |
target.labels[input_match_event_type] (deprecated) |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the target.labels.value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the target.labels.value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the target.labels.value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the target.labels.value UDM field is set to 0 - Exit . |
input.match.event.type |
additional.fields[input_match_event_type] |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 0 - Exit . |
input.match.event.uid |
principal.user.userid |
input.match.event.uuid |
about.labels[input_match_event_uuid] (deprecated) |
input.match.event.uuid |
additional.fields[input_match_event_uuid] |
| |
security_result.action_details |
If the index value is equal to 0 , then the log field is mapped to the security_result.action_details UDM field.Else, the log field is mapped to the security_result.about.labels.value UDM field. | |
security_result.detection_fields [input_match_facts_actions_parameters_id] |
input.match.facts.actions.parameters.message |
security_result.detection_fields [input_match_facts_actions_parameters_message] |
input.match.facts.actions.parameters.title |
security_result.detection_fields [input_match_facts_actions_parameters_title] |
| |
security_result.detection_fields.key |
input.match.facts.context.value |
security_result.detection_fields.value [Name] |
input.match.facts.context.valueType |
input.match.facts.human |
security_result.action |
If the input.match.facts.human log field value is matched with regex (?i)blocked , then the security_result.action UDM field is set to BLOCK . |
input.match.facts.human |
security_result.description |
If the index value is equal to 0 , then the input.match.facts.human log field is mapped to the security_result.description UDM field.Else, the input.match.facts.human log field is mapped to the security_result.detection_fields.value UDM field. | |
security_result.summary |
If the index value is equal to 0 , then the log field is mapped to the security_result.summary UDM field.Else, the log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.severity |
security_result.detection_fields [input_match_facts_severity] |
input.match.facts.tags |
security_result.rule_labels [input_match_facts_tags] |
input.match.facts.uuid |
about.labels [input_match_facts_uuid] |
input.match.facts.version |
about.labels [input_match_facts_version] |
input.match.severity |
security_result.severity |
If the severity log field value is equal to 0 , then the security_result.severity UDM field is set to INFORMATIONAL .Else, if the severity log field value is equal to 1 , then the security_result.severity UDM field is set to LOW .Else, if the severity log field value is equal to 2 , then the security_result.severity UDM field is set to MEDIUM .Else, if the severity log field value is equal to 3 , then the security_result.severity UDM field is set to HIGH . |
input.match.tags |
security_result.rule_labels [input_match_tags] |
input.match.uuid |
metadata.product_log_id |
input.related.binaries.accessed |
security_result.about.labels [input_related_binaries_accessed] |
input.related.binaries.changed |
security_result.about.labels [input_related_binaries_changed] |
input.related.binaries.created |
security_result.about.file.first_seen_time |
If the index value is equal to 0 , then the input.related.binaries.created log field is mapped to the security_result.about.file.first_seen_time UDM field.Else, the input.related.binaries.created log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.fsid |
security_result.about.labels [input_related_binaries_fsid] |
input.related.binaries.gid |
security_result.about.labels [input_related_binaries_gid] |
input.related.binaries.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.binaries.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.binaries.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.isAppBundle |
security_result.about.labels [isAppBundle] |
input.related.binaries.isDirectory |
security_result.about.labels [isDirectory] |
input.related.binaries.isDownload |
security_result.about.labels [isDownload] |
input.related.binaries.isScreenShot |
security_result.about.labels [isScreenShot] |
input.related.binaries.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.binaries.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.binaries.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.binaries.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.binaries.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.binaries.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.binaries.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.binaries.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.binaries.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.binaries.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.binaries.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.authorities |
security_result.about.user.attribute.permissions |
input.related.binaries.signingInfo.cdhash |
security_result.about.labels [input_related_binaries_sign_cdhash] |
input.related.binaries.signingInfo.entitlements |
security_result.about.user.attribute.permisisons |
input.related.binaries.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type] |
If the input.related.binaries.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.binaries.signingInfo.status |
security_result.about.user.attribute.labels [input_related_binaries_sign_status] |
input.related.binaries.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
input.related.binaries.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.size |
security_result.about.file.size |
If the index value is equal to 0 , then the input.related.binaries.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.binaries.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.binaries.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.binaries.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.xattrs |
security_result.about.user.attribute.labels [input_related_binaries_xattrs] |
input.related.files.accessed |
security_result.about.labels [input_related_files_accessed] |
input.related.files.changed |
security_result.about.labels [input_related_files_changed] |
input.related.files.created |
security_result.about.labels [input_related_files_created] |
input.related.files.downloadedFrom |
security_result.about.labels [input_related_files_downloaded_from] |
input.related.files.fsid |
security_result.about.labels [input_related_files_downloaded_fsid] |
input.related.files.gid | |
If the index value is equal to 0 , then the input.related.files.gid log field is mapped to the UDM field.Else, the input.related.files.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.files.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.files.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.isAppBundle |
security_result.about.labels [input_related_files_downloaded_is_app_bundle] |
input.related.files.isDirectory |
security_result.about.labels [input_related_files_is_directory] |
input.related.files.isDownload |
security_result.about.labels [input_related_files_is_download] |
input.related.files.isScreenShot |
security_result.about.labels [input_related_files_is_screenshot] |
input.related.files.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.files.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.files.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.files.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.files.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.files.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.files.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.files.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.files.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.files.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.files.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.files.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.files.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.authorities |
security_result.about.user.attribute.permissions |
input.related.files.signingInfo.cdhash |
security_result.about.labels [[input_related_files_sign_cdhash] |
input.related.files.signingInfo.entitlements |
security_result.about.user.attribute.permissions |
input.related.files.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type] |
If the input.related.files.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.files.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.files.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.files.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.files.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.files.signingInfo.status |
security_result.about.user.attribute.labels [input_related_files_signing_info_status] |
input.related.files.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_files_signing_info_status_message] |
input.related.files.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.size |
security_result.about.file.size |
If the index value is equal to 0 , then if the input.related.files.size log field value is not equal to 0 , then the input.related.files.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.files.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.files.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.files.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.xattrs |
security_result.about.labels [input_related_files_xattrs] |
input.related.groups.gid | [input_related_groups_gid] |
| | |
If the index value is equal to 0 , then the log field is mapped to the UDM field.Else, the log field is mapped to the UDM field. |
input.related.groups.uuid | |
If the index value is equal to 0 , then the input.related.groups.uuid log field is mapped to the UDM field.Else, the input.related.groups.uuid log field is mapped to the UDM field. |
input.related.processes.appPath |
security_result.about.labels [input_related_processes_app_path] |
input.related.processes.args |
security_result.about.process.command_line_history |
input.related.processes.exitCode |
security_result.about.labels [input_related_processes_exit_code] |
input.related.processes.gid | |
If the index value is equal to 0 , then the input.related.processes.gid log field is mapped to the UDM field.Else, the input.related.processes.gid log field is mapped to the security_result.about.labels.value UDM field. | |
security_result.about.process.file.names |
input.related.processes.originalParentPID | |
If the index value is equal to 0 , then the input.related.processes.originalParentPID log field is mapped to the UDM field.Else, the input.related.processes.originalParentPID log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.path |
security_result.about.process.file.full_path |
If the index value is equal to 0 , then the input.related.processes.path log field is mapped to the security_result.about.process.file.full_path UDM field.Else, the input.related.processes.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.pgid |
security_result.about.labels [input_related_process_pgid] |
| | |
If the index value is equal to 0 , then the log field is mapped to the UDM field.Else, the log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.ppid |
security_result.about.labels [input_related_processes_ppid] |
input.related.processes.responsiblePID |
security_result.about.labels [input_related_processes_responsible_pid] |
input.related.processes.rgid |
security_result.about.labels [input_related_processes_rgid] |
input.related.processes.ruid |
security_result.about.labels [input_related_processes_ruid] |
input.related.processes.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.signingInfo.authorities |
security_result.about.user.attributes.permission |
input.related.processes.signingInfo.cdhash |
security_result.about.user.attribute.labels [input_related_processes_sign_cdhash] |
input.related.processes.signingInfo.entitlements |
security_result.about.user.attributes.permission |
input.related.processes.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_processes_sign_signer_type] |
If the input.related.processes.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.processes .signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.processes.signingInfo.status |
security_result.about.user.attribute.labels [input_related_processes_sign_status] |
input.related.processes.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
input.related.processes.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.startTimestamp |
security_result.about.labels [input_related_processes_start_time_stamp] |
input.related.processes.tty |
security_result.about.labels [input_related_processes_tty] |
input.related.processes.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.processes.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.processes.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.processes.uuid |
security_result.about.process.product_specific_process_id |
If the index value is equal to 0 , then the Process Uuid: input.related.processes.uuid log field is mapped to the security_result.about.process.product_specific_process_id UDM field.Else, the input.related.processes.uuid log field is mapped to the security_result.about.labels.value UDM field. | |
security_result.about.user.user_display_name |
If the index value is equal to 0 , then the log field is mapped to the security_result.about.user.user_display_name UDM field.Else, the log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.users.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.users.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uuid |
security_result.about.user.product_object_id |
If the index value is equal to 0 , then the input.related.users.uuid log field is mapped to the security_result.about.user.product_object_id UDM field.Else, the input.related.users.uuid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
key |
about.labels[key] (deprecated) |
key |
additional.fields[key] |
path |
target.file.full_path |
If the index value is equal to 0 , then the path log field is mapped to the target.file.full_path UDM field.Else, the path log field is mapped to the target.labels.value UDM field. |
queue |
principal.labels[queue] (deprecated) |
queue |
additional.fields[queue] |
region | |
timestamp |
metadata.creation_timestamp |
topic |
about.labels[topic] (deprecated) |
topic |
additional.fields[topic] |
topicType |
about.labels[topicType] (deprecated) |
topicType |
additional.fields[topicType] |
version |
metadata.product_version |
is_alert |
The is_alert UDM field is set to TRUE . |
is_significant |
The is_significant UDM field is set to TRUE . |
input.eventType |
metadata.event_type |
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_PROTECT . |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF . |
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to STORAGE_BUCKET . |
target.resource.resource_type |
The target.resource.resource_type UDM field is set to STORAGE_BUCKET . |
input.match.event.options |
about.labels[input_match_event_options] (deprecated) |
input.match.event.options |
additional.fields[input_match_event_options] |
input.match.event.sourcePID | |
input.match.event.destinationPID | |
image.match.event.detection |
security_result.detection_fields [image_match_event_detection] |
input.match.type |
target.asset.attribute.labels [input_match_type] |
If the input.match.type log field value is equal to 0 , then the target.asset.attribute.labels.value UDM field is set to 0 - Device Inserted .Else, if the input.match.type log field value is equal to 1 , then the target.asset.attribute.labels.value UDM field is set to 1 - Device Removed . |
input.match.usbAddress |
target.asset.attribute.labels [input_match_usb_address] |
input.match.event.device.mediaPath |
target.asset.attribute.labels [input_match_device_media_path] |
input.match.event.device.protocol |
target.asset.attribute.labels [input_match_device_protocol] |
input.match.event.device.deviceModel |
target.asset.hardware.model |
input.match.event.device.isRemovable |
target.asset.attribute.labels [input_match_device_is_removable] |
input.match.event.device.mediaName |
target.asset.attribute.labels [input_match_device_media_name] |
input.match.event.device.bsdMinor |
target.asset.attribute.labels [input_match_device_bsd_minor] |
input.match.event.device.vendorName | |
input.match.event.device.isWhole |
target.asset.attribute.labels [input_match_device_is_whole] |
input.match.event.device.unit |
target.asset.attribute.labels [input_match_device_unit] |
input.match.event.device.deviceSubclass |
target.asset.attribute.labels [input_match_device_subclass] |
input.match.event.device.serialNumber |
target.asset.hardware.serial |
input.match.event.device.bsdUnit |
target.asset.attribute.labels [input_match_device_bsd_unit] |
input.match.event.device.busPath |
target.asset.attribute.labels [input_match_device_bus_path] |
input.match.event.device.isLeaf |
target.asset.attribute.labels [input_match_device_is_leaf] |
input.match.event.device.isInternal |
target.asset.attribute.labels [input_match_device_is_internal] |
input.match.event.device.busName |
target.asset.attribute.labels [input_match_device_bus_name] |
input.match.event.device.bsdMajor |
target.asset.attribute.labels [input_match_device_bsd_major] |
input.match.event.device.isEjectable |
target.asset.attribute.labels [input_match_device_is_ejectable] |
input.match.event.device.isEncrypted |
target.asset.attribute.labels [input_match_device_is_encrypted] |
input.match.event.device.isEncryptable |
target.asset.attribute.labels [input_match_device_is_encryptable] |
input.match.event.device.devicePath |
target.asset.attribute.labels [input_match_device_path] |
input.match.event.device.bsdName |
target.asset.attribute.labels [input_match_device_bsd_name] |
input.match.event.device.vendorId |
target.asset.attribute.labels [input_match_device_vendor_id] |
input.match.event.device.content |
target.asset.attribute.labels [input_match_device_content] |
input.match.event.device.revision |
target.asset.attribute.labels [input_match_device_revision] |
input.match.event.device.size |
target.asset.attribute.labels [input_match_device_size] |
input.match.event.device.isNetworkVolume |
target.asset.attribute.labels [input_match_device_is_network_volume] |
input.match.event.device.blocksize |
target.asset.attribute.labels [input_match_device_block_size] |
input.match.event.device.productName |
target.asset.attribute.labels [input_match_device_product_name] |
input.match.event.device.mediaKind |
target.asset.attribute.labels [input_match_device_media_kind] |
input.match.event.device.isWritable |
target.asset.attribute.labels [input_match_device_is_writable] |
input.match.event.device.productId |
target.asset.product_object_id |
input.match.event.device.productId |
target.asset.asset_id |
The Asset Id: input.match.event.device.productId log field is mapped to the target.asset.asset_id UDM field. |
input.match.event.device.deviceClass |
target.asset.category |
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_device_encryption_detail] |
input.match.event.device.volumeKind |
target.asset.attribute.labels [input_match_event_device_volume_kind] |
input.match.event.device.volumeName |
target.asset.attribute.labels [input_match_event_device_volume_name] |
input.match.event.device.volumeType |
target.asset.attribute.labels [input_match_event_device_volume_type] |
input.match.event.device.isMountable |
target.asset.attribute.labels [input_match_event_device_is_mountable] |
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_event_device_encryption_detail] |
input.match.event.fsid |
principal.labels [input_match_event_fsid] |
input.match.event.bfree |
principal.labels[input_match_event_bfree] (deprecated) |
input.match.event.bfree |
additional.fields[input_match_event_bfree] |
input.match.event.bsize |
principal.labels[input_match_event_bsize] (deprecated) |
input.match.event.bsize |
additional.fields[input_match_event_bsize] |
input.match.event.ffree |
principal.labels[input_match_event_ffree] (deprecated) |
input.match.event.ffree |
additional.fields[input_match_event_ffree] |
input.match.event.files |
principal.labels[input_match_event_files] (deprecated) |
input.match.event.files |
additional.fields[input_match_event_files] |
input.match.event.flags |
principal.labels[input_match_event_flags] (deprecated) |
input.match.event.flags |
additional.fields[input_match_event_flags] |
input.match.event.owner |
principal.user.user_display_name |
input.match.event.bavail |
principal.labels[input_match_event_bvail] (deprecated) |
input.match.event.bavail |
additional.fields[input_match_event_bvail] |
input.match.event.blocks |
principal.labels[input_match_event_blocks] (deprecated) |
input.match.event.blocks |
additional.fields[input_match_event_blocks] |
input.match.event.iosize |
principal.labels[input_match_event_iosize] (deprecated) |
input.match.event.iosize |
additional.fields[input_match_event_iosize] |
input.match.event.version |
principal.labels[input_match_event_version] (deprecated) |
input.match.event.version |
additional.fields[input_match_event_version] |
input.match.event.deadline |
principal.labels[input_match_event_deadline] (deprecated) |
input.match.event.deadline |
additional.fields[input_match_event_deadline] |
input.match.event.flagsExt |
principal.labels[input_match_event_flags_ext] (deprecated) |
input.match.event.flagsExt |
additional.fields[input_match_event_flags_ext] |
input.match.event.fsSubType |
principal.labels[input_match_event_fs_subtype] (deprecated) |
input.match.event.fsSubType |
additional.fields[input_match_event_fs_subtype] |
input.match.event.mntOnName |
principal.labels[input_match_event_mnt_on_name] (deprecated) |
input.match.event.mntOnName |
additional.fields[input_match_event_mnt_on_name] |
input.match.event.fsTypeName |
principal.labels[input_match_event_fs_type_name] (deprecated) |
input.match.event.fsTypeName |
additional.fields[input_match_event_fs_type_name] |
input.match.event.isReadOnly |
principal.labels[input_match_event_is_read_only] (deprecated) |
input.match.event.isReadOnly |
additional.fields[input_match_event_is_read_only] |
input.match.event.mntFromName |
principal.labels[input_match_event_mnt_from_name] (deprecated) |
input.match.event.mntFromName |
additional.fields[input_match_event_mnt_from_name] |
input.match.event.machTimestamp |
principal.labels[input_match_event_mach_timestamp] (deprecated) |
input.match.event.machTimestamp |
additional.fields[input_match_event_mach_timestamp] |
input.match.event.sequenceNumber |
principal.labels[input_match_event_seq_number] (deprecated) |
input.match.event.sequenceNumber |
additional.fields[input_match_event_seq_number] |
input.match.event.globalSequenceNumber |
principal.labels[input_match_event_global_seq_number] (deprecated) |
input.match.event.globalSequenceNumber |
additional.fields[input_match_event_global_seq_number] |
Langkah berikutnya
