Jamf Protect-Protokolle erfassen
In diesem Dokument wird beschrieben, wie Sie Jamf Protect-Logs erfassen können, indem Sie einen Chronicle-Feed einrichten, und wie Logfelder den Feldern von Chronicle Unified Data Model (UDM) zugeordnet werden. In diesem Dokument wird auch die unterstützte Jamf Protect-Version aufgeführt.
Weitere Informationen finden Sie unter Datenaufnahme in Chronicle.
Eine typische Bereitstellung besteht aus Jamf Protect und dem Chronicle-Feed, der so konfiguriert ist, dass Logs an Chronicle gesendet werden. Jede Kundenbereitstellung kann anders und komplexer sein.
Die Bereitstellung enthält die folgenden Komponenten:
Jamf Protect. Die Jamf Protect-Plattform, über die Sie Protokolle erfassen.
Chronicle-Feed: Der Chronicle-Feed, der Protokolle von Jamf Protect abruft und in Chronicle schreibt.
Chronicle: Chronicle speichert und analysiert die Protokolle von Jamf Protect.
Ein Aufnahmelabel identifiziert den Parser, der die Log-Rohdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel JAMF_PROTECT.
Hinweise
- Achten Sie darauf, dass Sie Jamf Protect Version 4.0.0 oder höher verwenden.
- Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur mit der Zeitzone UTC konfiguriert sind.
Feed in Chronicle konfigurieren, um Jamf Protect-Logs aufzunehmen
- Wählen Sie im Chronicle-Menü die Einstellungen aus und klicken Sie dann auf Feeds.
- Klicken Sie auf Add new (Neuen Eintrag hinzufügen).
- Wählen Sie Amazon S3 als Quelltyp aus.
- Wenn Sie einen Feed für Jamf Protect erstellen möchten, wählen Sie Jamf Protect-Warnungen als Protokolltyp aus.
- Klicken Sie auf Next (Weiter).
- Speichern Sie den Feed und klicken Sie dann auf Senden.
- Kopieren Sie die Feed-ID aus dem Feednamen, um sie in Jamf Protect zu verwenden.
Weitere Informationen zu Chronicle-Feeds finden Sie in der Dokumentation zu Chronicle-Feeds. Informationen zu den Anforderungen an die einzelnen Feedtypen finden Sie unter Feedkonfiguration nach Typ.
Wenn beim Erstellen von Feeds Probleme auftreten, wenden Sie sich an den Chronicle-Support.
Unterstützte Protokolltypen für Jamf Protect
In der folgenden Tabelle sind die Logtypen aufgeführt, die vom Jamf Protect-Parser unterstützt werden:
| Ereignistyp | Anzeigename |
|---|---|
| GPClickEvent | Synthetische Klickereignisse |
| GPDownloadEvent | Ereignisse herunterladen |
| GPFSEvent | Dateisystemereignisse |
| GPGatekeeperEvent | Veranstaltungen für Gatekeeper |
| GPKeylogRegisterEvent | Keylogger-Ereignisse |
| GPMRTEvent | Ereignisse überwachen |
| GPPreventedExecutionEvent | Benutzerdefinierte Ereignisse vom Typ „Verhindern“ |
| GPProcessEvent | Ereignisse verarbeiten |
| GPThreatMatchExecEvent | Ereignisse zum Schutz vor Bedrohungen |
| GPUSBEvent | USB-Ereignisse |
| GPUnifiedLogEvent | Einheitliche Protokollereignisse |
| Authentifizierungsbereitstellung | Gerätesteuerungsereignisse |
Referenz zur Feldzuordnung
In diesem Abschnitt wird erläutert, wie der Chronicle-Parser Jamf Protect-Feldern den Feldern von Chronicle Unified Data Model (UDM) zuordnet.
Referenz zur Feldzuordnung: Ereignis-ID und Ereignistyp
In der folgenden Tabelle sind dieJAMF_PROTECT-Logtypen und die entsprechenden UDM-Ereignistypen aufgeführt.
| Event Identifier | Event Type |
|---|---|
GPClickEvent |
SCAN_UNCATEGORIZED |
GPDownloadEvent |
SCAN_FILE |
GPFSEvent |
SCAN_FILE |
GPGatekeeperEvent |
SCAN_UNCATEGORIZED |
GPKeylogRegisterEvent |
SCAN_UNCATEGORIZED |
GPMRTEvent |
SCAN_UNCATEGORIZED |
GPPreventedExecutionEvent |
SCAN_UNCATEGORIZED |
GPProcessEvent |
SCAN_PROCESS |
GPThreatMatchExecEvent |
SCAN_UNCATEGORIZED |
GPUSBEvent |
SCAN_UNCATEGORIZED |
GPUnifiedLogEvent |
SCAN_UNCATEGORIZED |
Auth-mount |
SCAN_UNCATEGORIZED |
Referenz zur Feldzuordnung: JAMF_PROTECT
In der folgenden Tabelle sind die Logfelder des LogtypsJAMF_PROTECT und die entsprechenden UDM-Felder aufgeführt.
| Log field | UDM mapping | Logic |
|---|---|---|
|
about.platform |
The about.platform UDM field is set to MAC. |
caid |
about.labels [caid] |
|
certid |
principal.asset.attribute.labels [certid] |
|
context.identity.claims.certid |
principal.user.attribute.permissions.description |
|
context.identity.claims.clientid |
principal.user.attribute.labels [context_identity_claims_clientid] |
|
input.eventType |
metadata.product_event_type |
|
input.host.hostname |
principal.hostname |
|
input.host.ips |
principal.ip |
|
input.host.provisioningUDID |
principal.asset.product_object_id |
|
input.host.serial |
principal.asset.hardware.serial_number |
|
input.match.actions.name |
security_result.outcomes [input_match_actions_name] |
|
input.match.actions.parameters.message |
security_result.summary |
If the index value is equal to 0, then the input.match.actions.parameters.message log field is mapped to the security_result.summary UDM field.Else, the input.match.actions.parameters.message log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.actions.parameters.title |
security_result.description |
If the index value is equal to 0, then the input.match.actions.parameters.title log field is mapped to the security_result.description UDM field.Else, the input.match.actions.parameters.title log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.context.name |
security_result.detection_fields.key |
|
input.match.context.value |
security_result.detection_fields.value [Name] |
|
input.match.context.valueType |
|
|
input.match.custom |
security_result.detection_fields [input_match_custom] |
|
input.match.event.blocked |
security_result.action |
If the input.match.event.blocked log field value is not empty, then the security_result.action UDM field is set to BLOCK. |
context.identity.claims.hd, input.match.uuid |
security_result.url_back_to_product |
The security_result.url_back_to_product UDM field is set to https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid. |
input.match.event.category |
security_result.category_details |
|
input.match.event.clickType |
principal.labels [input_match_event_click_type] |
If the input.match.event.clickType log field value is equal to 0, then the principal.labels.value UDM field is set to 0 - Other.Else, if the input.match.event.clickType log field value is equal to 1, then the principal.labels.value UDM field is set to 1 - Left Down.Else, if the input.match.event.clickType log field value is equal to 2, then the principal.labels.value UDM field is set to 2 - Left Up.Else, if the input.match.event.clickType log field value is equal to 3, then the principal.labels.value UDM field is set to 3 - Right Down.Else, if the input.match.event.clickType log field value is equal to 4, then the principal.labels.value UDM field is set to 4 - Right Up. |
input.match.event.composedMessage |
principal.labels [input_match_event_composed_message] |
|
input.match.event.dev |
principal.labels [input_match_event_dev] |
|
input.match.event.eventID |
principal.labels [input_match_event_id] |
|
input.match.event.gid |
principal.user.group_identifiers |
|
input.match.event.iNode |
target.file.stat_inode |
|
input.match.event.matchType |
principal.labels [input_match_event_match_type] |
|
input.match.event.matchValue |
security_result.threat_name |
If the input.match.event.matchType log field value is not empty, then the input.match.event.matchValue log field is mapped to the security_result.threat_name UDM field. |
input.match.event.name |
about.labels [input_match_event_name] |
|
input.match.facts.name |
metadata.description |
If the index value is equal to 0, then the input.match.facts.name log field is mapped to the metadata.description UDM field. |
input.match.event.path |
target.process.file.full_path |
|
input.match.event.pid |
principal.process.pid |
|
input.match.event.prevFile |
src.file.full_path |
If the input.match.event.prevFile log field value is not empty, then the input.match.event.prevFile log field is mapped to the src.file.full_path UDM field. |
input.match.event.process |
principal.process.file.names |
|
input.match.event.process.args |
target.process.command_line_history |
|
input.match.event.process.gid |
target.group.product_object_id |
|
input.match.event.process.name |
target.process.file.names |
|
input.match.event.process.originalParentPID |
target.process.parent_process.pid |
|
input.match.event.process.path |
target.process.file.full_path |
|
input.match.event.process.pgid |
target.labels [input_match_event_processes_pgid] |
|
input.match.event.process.pid |
target.process.pid |
|
input.match.event.process.ppid |
target.labels [input_match_event_process_ppid] |
|
input.match.event.process.responsiblePID |
target.labels [input_match_event_process_responsible_pid] |
|
input.match.event.process.rgid |
target.labels [input_match_event_process_rgid] |
|
input.match.event.process.ruid |
target.labels [input_match_event_process_ruid] |
|
input.match.event.process.signingInfo.appid |
target.user.attribute.labels [input_match_event_process_sign_appid] |
|
input.match.event.process.signingInfo.authorities |
target.user.attribute.permissions |
|
input.match.event.process.signingInfo.cdhash |
target.user.attribute.labels [input_match_event_process_sign_cdhash] |
|
input.match.event.process.signingInfo.entitlements |
target.user.attributes.permissions |
|
input.match.event.process.signingInfo.signerType |
target.user.attribute.labels [input_match_event_process_sign_signer_type] |
If the input.related.process.signingInfo.signerType log field value is equal to 0, then the target.user.attribute.labels.value UDM field is set to 0 - Apple.Else, if the input.related.process.signingInfo.signerType log field value is equal to 1, then the target.user.attribute.labels.value UDM field is set to 1 - App Store.Else, if the input.related.process.signingInfo.signerType log field value is equal to 2, then the target.user.attribute.labels.value UDM field is set to 2 - Developer.Else, if the input.related.process.signingInfo.signerType log field value is equal to 3, then the target.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.Else, if the input.related.process.signingInfo.signerType log field value is equal to 4, then the target.user.attribute.labels.value UDM field is set to 4 - Unsigned. |
input.match.event.process.signingInfo.status |
target.user.attribute.labels [input_match_event_process_sign_status] |
|
input.match.event.process.signingInfo.statusMessage |
target.labels [input_match_event_process_sign_status_message] |
|
input.match.event.process.signingInfo.teamid |
target.user.group_identifiers |
|
input.match.event.process.startTimestamp |
target.labels [input_match_event_process_start_time_stamp] |
|
input.match.event.process.uid |
target.labels [input_match_event_process_uid] |
|
input.match.event.process.uuid |
target.process.product_specific_process_id |
The Process Uuid: input.match.event.process.uuid log field is mapped to the target.process.product_specific_process_id UDM field. |
input.match.event.processIdentifier |
target.process.pid |
|
input.match.event.processImagePath |
target.process.file.full_path |
|
input.match.event.rateLimitingSecs |
principal.labels [input_match_event_rate_limiting_secs] |
|
input.match.event.scriptPath |
principal.labels [input_match_event_script_path] |
|
input.match.event.sender |
principal.labels [input_match_event_sender] |
|
input.match.event.senderImagePath |
principal.labels [input_match_event_sender_image_path] |
|
input.match.event.subsystem |
principal.labels [input_match_event_subsystem] |
|
input.match.event.subType |
principal.labels [input_match_event_sub_type] |
If the input.match.event.subType log field value is equal to 7, then the principal.labels.value UDM field is set to 7 - Exec.Else, if the input.match.event.subType log field value is equal to 2, then the principal.labels.value UDM field is set to 2 - Fork.Else, if the input.match.event.subType log field value is equal to 1, then the principal.labels.value UDM field is set to 1 - Exit.Else, if the input.match.event.subType log field value is equal to 23, then the principal.labels.value UDM field is set to 23 - Execve.Else, if the input.match.event.subType log field value is equal to 43190, then the principal.labels.value UDM field is set to 43190 - Posix Spawn. |
input.match.event.tags |
security_result.rule_labels [input_match_event_tags] |
|
input.match.event.targetpid |
target.process.pid |
|
input.match.event.timestamp |
metadata.event_timestamp |
|
input.match.event.type |
target.labels [input_match_event_type] |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0, then the target.labels.value UDM field is set to 0 - Created.Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1, then the target.labels.value UDM field is set to 1 - Deleted.Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3, then the target.labels.value UDM field is set to 3 - Renamed.Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4, then the target.labels.value UDM field is set to 4 - Modified.Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7, then the target.labels.value UDM field is set to 7 - Created Dir.Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0, then the target.labels.value UDM field is set to 0 - None.Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1, then the target.labels.value UDM field is set to 1 - Create.Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2, then the target.labels.value UDM field is set to 0 - Exit. |
input.match.event.uid |
principal.user.userid |
|
input.match.event.uuid |
about.labels [input_match_event_uuid] |
|
input.match.facts.actions.name |
security_result.action_details |
If the index value is equal to 0, then the input.match.facts.actions.name log field is mapped to the security_result.action_details UDM field.Else, the input.match.facts.actions.name log field is mapped to the security_result.about.labels.value UDM field. |
input.match.facts.actions.parameters.id |
security_result.detection_fields [input_match_facts_actions_parameters_id] |
|
input.match.facts.actions.parameters.message |
security_result.detection_fields [input_match_facts_actions_parameters_message] |
|
input.match.facts.actions.parameters.title |
security_result.detection_fields [input_match_facts_actions_parameters_title] |
|
input.match.facts.context.name |
security_result.detection_fields.key |
|
input.match.facts.context.value |
security_result.detection_fields.value [Name] |
|
input.match.facts.context.valueType |
|
|
input.match.facts.human |
security_result.action |
If the input.match.facts.human log field value is matched with regex (?i)blocked, then the security_result.action UDM field is set to BLOCK. |
input.match.facts.human |
security_result.description |
If the index value is equal to 0, then the input.match.facts.human log field is mapped to the security_result.description UDM field.Else, the input.match.facts.human log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.name |
security_result.summary |
If the index value is equal to 0, then the input.match.facts.name log field is mapped to the security_result.summary UDM field.Else, the input.match.facts.name log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.severity |
security_result.detection_fields [input_match_facts_severity] |
|
input.match.facts.tags |
security_result.rule_labels [input_match_facts_tags] |
|
input.match.facts.uuid |
about.labels [input_match_facts_uuid] |
|
input.match.facts.version |
about.labels [input_match_facts_version] |
|
input.match.severity |
security_result.severity |
If the severity log field value is equal to 0, then the security_result.severity UDM field is set to INFORMATIONAL.Else, if the severity log field value is equal to 1, then the security_result.severity UDM field is set to LOW.Else, if the severity log field value is equal to 2, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value is equal to 3, then the security_result.severity UDM field is set to HIGH. |
input.match.tags |
security_result.rule_labels [input_match_tags] |
|
input.match.uuid |
metadata.product_log_id |
|
input.related.binaries.accessed |
security_result.about.labels [input_related_binaries_accessed] |
|
input.related.binaries.changed |
security_result.about.labels [input_related_binaries_changed] |
|
input.related.binaries.created |
security_result.about.file.first_seen_time |
If the index value is equal to 0, then the input.related.binaries.created log field is mapped to the security_result.about.file.first_seen_time UDM field.Else, the input.related.binaries.created log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.fsid |
security_result.about.labels [input_related_binaries_fsid] |
|
input.related.binaries.gid |
security_result.about.labels [input_related_binaries_gid] |
|
input.related.binaries.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0, then the input.related.binaries.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.binaries.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.isAppBundle |
security_result.about.labels [isAppBundle] |
|
input.related.binaries.isDirectory |
security_result.about.labels [isDirectory] |
|
input.related.binaries.isDownload |
security_result.about.labels [isDownload] |
|
input.related.binaries.isScreenShot |
security_result.about.labels [isScreenShot] |
|
input.related.binaries.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0, then the input.related.binaries.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.binaries.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0, then the input.related.binaries.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.binaries.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.path |
security_result.about.file.full_path |
If the index value is equal to 0, then the input.related.binaries.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.binaries.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0, then the input.related.binaries.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.binaries.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0, then the input.related.binaries.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.binaries.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0, then the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.binaries.signingInfo.cdhash |
security_result.about.labels [input_related_binaries_sign_cdhash] |
|
input.related.binaries.signingInfo.entitlements |
security_result.about.user.attribute.permisisons |
|
input.related.binaries.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type] |
If the input.related.binaries.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned. |
input.related.binaries.signingInfo.status |
security_result.about.user.attribute.labels [input_related_binaries_sign_status] |
|
input.related.binaries.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.binaries.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0, then the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.size |
security_result.about.file.size |
If the index value is equal to 0, then the input.related.binaries.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.binaries.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.uid |
security_result.about.user.userid |
If the index value is equal to 0, then the input.related.binaries.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.binaries.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.xattrs |
security_result.about.user.attribute.labels [input_related_binaries_xattrs] |
|
input.related.files.accessed |
security_result.about.labels [input_related_files_accessed] |
|
input.related.files.changed |
security_result.about.labels [input_related_files_changed] |
|
input.related.files.created |
security_result.about.labels [input_related_files_created] |
|
input.related.files.downloadedFrom |
security_result.about.labels [input_related_files_downloaded_from] |
|
input.related.files.fsid |
security_result.about.labels [input_related_files_downloaded_fsid] |
|
input.related.files.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0, then the input.related.files.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.files.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0, then the input.related.files.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.files.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.isAppBundle |
security_result.about.labels [input_related_files_downloaded_is_app_bundle] |
|
input.related.files.isDirectory |
security_result.about.labels [input_related_files_is_directory] |
|
input.related.files.isDownload |
security_result.about.labels [input_related_files_is_download] |
|
input.related.files.isScreenShot |
security_result.about.labels [input_related_files_is_screenshot] |
|
input.related.files.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0, then the input.related.files.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.files.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0, then the input.related.files.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.files.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.path |
security_result.about.file.full_path |
If the index value is equal to 0, then the input.related.files.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.files.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0, then the input.related.files.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.files.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0, then the input.related.files.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.files.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0, then the input.related.files.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.files.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.cdhash |
security_result.about.labels [[input_related_files_sign_cdhash] |
|
input.related.files.signingInfo.entitlements |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type] |
If the input.related.files.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.Else, if the input.related.files.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.Else, if the input.related.files.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.Else, if the input.related.files.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.Else, if the input.related.files.signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned. |
input.related.files.signingInfo.status |
security_result.about.user.attribute.labels [input_related_files_signing_info_status] |
|
input.related.files.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_files_signing_info_status_message] |
|
input.related.files.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0, then the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.size |
security_result.about.file.size |
If the index value is equal to 0, then if the input.related.files.size log field value is not equal to 0, then the input.related.files.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.files.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.uid |
security_result.about.user.userid |
If the index value is equal to 0, then the input.related.files.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.files.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.xattrs |
security_result.about.labels [input_related_files_xattrs] |
|
input.related.groups.gid |
security_result.about.group.attribute.labels [input_related_groups_gid] |
|
input.related.groups.name |
security_result.about.group.group_display_name |
If the index value is equal to 0, then the input.related.groups.name log field is mapped to the security_result.about.group.group_display_name UDM field.Else, the input.related.groups.name log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.groups.uuid |
security_result.about.group.product_object_id |
If the index value is equal to 0, then the input.related.groups.uuid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.groups.uuid log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.processes.appPath |
security_result.about.labels [input_related_processes_app_path] |
|
input.related.processes.args |
security_result.about.process.command_line_history |
|
input.related.processes.exitCode |
security_result.about.labels [input_related_processes_exit_code] |
|
input.related.processes.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0, then the input.related.processes.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.processes.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.name |
security_result.about.process.file.names |
|
input.related.processes.originalParentPID |
security_result.about.process.parent_process.pid |
If the index value is equal to 0, then the input.related.processes.originalParentPID log field is mapped to the security_result.about.process.parent_process.pid UDM field.Else, the input.related.processes.originalParentPID log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.path |
security_result.about.process.file.full_path |
If the index value is equal to 0, then the input.related.processes.path log field is mapped to the security_result.about.process.file.full_path UDM field.Else, the input.related.processes.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.pgid |
security_result.about.labels [input_related_process_pgid] |
|
input.related.processes.pid |
security_result.about.process.pid |
If the index value is equal to 0, then the input.related.processes.pid log field is mapped to the security_result.about.process.pid UDM field.Else, the input.related.processes.pid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.ppid |
security_result.about.labels [input_related_processes_ppid] |
|
input.related.processes.responsiblePID |
security_result.about.labels [input_related_processes_responsible_pid] |
|
input.related.processes.rgid |
security_result.about.labels [input_related_processes_rgid] |
|
input.related.processes.ruid |
security_result.about.labels [input_related_processes_ruid] |
|
input.related.processes.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0, then the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.signingInfo.authorities |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.cdhash |
security_result.about.user.attribute.labels [input_related_processes_sign_cdhash] |
|
input.related.processes.signingInfo.entitlements |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_processes_sign_signer_type] |
If the input.related.processes.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.Else, if the input.related.processes.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.Else, if the input.related.processes.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.Else, if the input.related.processes.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.Else, if the input.related.processes .signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned. |
input.related.processes.signingInfo.status |
security_result.about.user.attribute.labels [input_related_processes_sign_status] |
|
input.related.processes.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.processes.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0, then the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.startTimestamp |
security_result.about.labels [input_related_processes_start_time_stamp] |
|
input.related.processes.tty |
security_result.about.labels [input_related_processes_tty] |
|
input.related.processes.uid |
security_result.about.user.userid |
If the index value is equal to 0, then the input.related.processes.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.processes.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.processes.uuid |
security_result.about.process.product_specific_process_id |
If the index value is equal to 0, then the Process Uuid: input.related.processes.uuid log field is mapped to the security_result.about.process.product_specific_process_id UDM field.Else, the input.related.processes.uuid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.users.name |
security_result.about.user.user_display_name |
If the index value is equal to 0, then the input.related.users.name log field is mapped to the security_result.about.user.user_display_name UDM field.Else, the input.related.users.name log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uid |
security_result.about.user.userid |
If the index value is equal to 0, then the input.related.users.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.users.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uuid |
security_result.about.user.product_object_id |
If the index value is equal to 0, then the input.related.users.uuid log field is mapped to the security_result.about.user.product_object_id UDM field.Else, the input.related.users.uuid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
key |
about.labels [key] |
|
path |
target.file.full_path |
If the index value is equal to 0, then the path log field is mapped to the target.file.full_path UDM field.Else, the path log field is mapped to the target.labels.value UDM field. |
queue |
principal.labels [queue] |
|
region |
principal.location.name |
|
timestamp |
metadata.creation_timestamp |
|
topic |
about.labels [topic] |
|
topicType |
about.labels [topicType] |
|
version |
metadata.product_version |
|
|
is_alert |
The is_alert UDM field is set to TRUE. |
|
is_significant |
The is_significant UDM field is set to TRUE. |
input.eventType |
metadata.event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_PROTECT. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF. |
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to STORAGE_BUCKET. |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to STORAGE_BUCKET. |
input.match.event.options |
about.labels [input_match_event_options] |
|
input.match.event.sourcePID |
principal.process.pid |
|
input.match.event.destinationPID |
target.process.pid |
|
image.match.event.detection |
security_result.detection_fields [image_match_event_detection] |
|
input.match.type |
target.asset.attribute.labels [input_match_type] |
If the input.match.type log field value is equal to 0, then the target.asset.attribute.labels.value UDM field is set to 0 - Device Inserted.Else, if the input.match.type log field value is equal to 1, then the target.asset.attribute.labels.value UDM field is set to 1 - Device Removed. |
input.match.usbAddress |
target.asset.attribute.labels [input_match_usb_address] |
|
input.match.event.device.mediaPath |
target.asset.attribute.labels [input_match_device_media_path] |
|
input.match.event.device.protocol |
target.asset.attribute.labels [input_match_device_protocol] |
|
input.match.event.device.deviceModel |
target.asset.hardware.model |
|
input.match.event.device.isRemovable |
target.asset.attribute.labels [input_match_device_is_removable] |
|
input.match.event.device.mediaName |
target.asset.attribute.labels [input_match_device_media_name] |
|
input.match.event.device.bsdMinor |
target.asset.attribute.labels [input_match_device_bsd_minor] |
|
input.match.event.device.vendorName |
target.asset.software.vendor_name |
|
input.match.event.device.isWhole |
target.asset.attribute.labels [input_match_device_is_whole] |
|
input.match.event.device.unit |
target.asset.attribute.labels [input_match_device_unit] |
|
input.match.event.device.deviceSubclass |
target.asset.attribute.labels [input_match_device_subclass] |
|
input.match.event.device.serialNumber |
target.asset.hardware.serial |
|
input.match.event.device.bsdUnit |
target.asset.attribute.labels [input_match_device_bsd_unit] |
|
input.match.event.device.busPath |
target.asset.attribute.labels [input_match_device_bus_path] |
|
input.match.event.device.isLeaf |
target.asset.attribute.labels [input_match_device_is_leaf] |
|
input.match.event.device.isInternal |
target.asset.attribute.labels [input_match_device_is_internal] |
|
input.match.event.device.busName |
target.asset.attribute.labels [input_match_device_bus_name] |
|
input.match.event.device.bsdMajor |
target.asset.attribute.labels [input_match_device_bsd_major] |
|
input.match.event.device.isEjectable |
target.asset.attribute.labels [input_match_device_is_ejectable] |
|
input.match.event.device.isEncrypted |
target.asset.attribute.labels [input_match_device_is_encrypted] |
|
input.match.event.device.isEncryptable |
target.asset.attribute.labels [input_match_device_is_encryptable] |
|
input.match.event.device.devicePath |
target.asset.attribute.labels [input_match_device_path] |
|
input.match.event.device.bsdName |
target.asset.attribute.labels [input_match_device_bsd_name] |
|
input.match.event.device.vendorId |
target.asset.attribute.labels [input_match_device_vendor_id] |
|
input.match.event.device.content |
target.asset.attribute.labels [input_match_device_content] |
|
input.match.event.device.revision |
target.asset.attribute.labels [input_match_device_revision] |
|
input.match.event.device.size |
target.asset.attribute.labels [input_match_device_size] |
|
input.match.event.device.isNetworkVolume |
target.asset.attribute.labels [input_match_device_is_network_volume] |
|
input.match.event.device.blocksize |
target.asset.attribute.labels [input_match_device_block_size] |
|
input.match.event.device.productName |
target.asset.attribute.labels [input_match_device_product_name] |
|
input.match.event.device.mediaKind |
target.asset.attribute.labels [input_match_device_media_kind] |
|
input.match.event.device.isWritable |
target.asset.attribute.labels [input_match_device_is_writable] |
|
input.match.event.device.productId |
target.asset.product_object_id |
|
input.match.event.device.productId |
target.asset.asset_id |
The Asset Id: input.match.event.device.productId log field is mapped to the target.asset.asset_id UDM field. |
input.match.event.device.deviceClass |
target.asset.category |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_device_encryption_detail] |
|
input.match.event.device.volumeKind |
target.asset.attribute.labels [input_match_event_device_volume_kind] |
|
input.match.event.device.volumeName |
target.asset.attribute.labels [input_match_event_device_volume_name] |
|
input.match.event.device.volumeType |
target.asset.attribute.labels [input_match_event_device_volume_type] |
|
input.match.event.device.isMountable |
target.asset.attribute.labels [input_match_event_device_is_mountable] |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_event_device_encryption_detail] |
|
input.match.event.fsid |
principal.labels [input_match_event_fsid] |
|
input.match.event.bfree |
principal.labels [input_match_event_bfree] |
|
input.match.event.bsize |
principal.labels [input_match_event_bsize] |
|
input.match.event.ffree |
principal.labels [input_match_event_ffree] |
|
input.match.event.files |
principal.labels [input_match_event_files] |
|
input.match.event.flags |
principal.labels [input_match_event_flags] |
|
input.match.event.owner |
principal.user.user_display_name |
|
input.match.event.bavail |
principal.labels [input_match_event_bvail] |
|
input.match.event.blocks |
principal.labels [input_match_event_blocks] |
|
input.match.event.iosize |
principal.labels [input_match_event_iosize] |
|
input.match.event.version |
principal.labels [input_match_event_version] |
|
input.match.event.deadline |
principal.labels [input_match_event_deadline] |
|
input.match.event.flagsExt |
principal.labels [input_match_event_flags_ext] |
|
input.match.event.fsSubType |
principal.labels [input_match_event_fs_subtype] |
|
input.match.event.mntOnName |
principal.labels [input_match_event_mnt_on_name] |
|
input.match.event.fsTypeName |
principal.labels [input_match_event_fs_type_name] |
|
input.match.event.isReadOnly |
principal.labels [input_match_event_is_read_only] |
|
input.match.event.mntFromName |
principal.labels [input_match_event_mnt_from_name] |
|
input.match.event.machTimestamp |
principal.labels [input_match_event_mach_timestamp] |
|
input.match.event.sequenceNumber |
principal.labels [input_match_event_seq_number] |
|
input.match.event.globalSequenceNumber |
principal.labels [input_match_event_global_seq_number] |