Jamf Protect-Protokolle erfassen

Unterstützt in:

In diesem Dokument wird beschrieben, wie Sie Jamf Protect-Protokolle durch Einrichten einer Google Security Operations-Instanz erfassen -Feed und wie Protokollfelder den Feldern von Google Security Operations Unified Data Model (UDM) zugeordnet werden. In diesem Dokument wird auch die unterstützte Jamf Protect-Version aufgeführt.

Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.

Eine typische Bereitstellung besteht aus Jamf Protect und dem Google Security Operations-Feed, der so konfiguriert ist, dass Protokolle an Google Security Operations gesendet werden. Jede Kundenimplementierung kann sich unterscheiden und möglicherweise komplexer sein.

Das Deployment enthält die folgenden Komponenten:

  • Jamf Protect Die Jamf Protect-Plattform, auf der Sie Protokolle erfassen.

  • Google Security Operations-Feed Der Google Security Operations-Feed, der Protokolle von Jamf Protect abruft und in Google Security Operations schreibt.

  • Google Security Operations Google Security Operations speichert und analysiert die Protokolle von Jamf Protect.

Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel JAMF_PROTECT.

Hinweise

  • Achten Sie darauf, dass Sie Jamf Protect Version 4.0.0 oder höher verwenden.
  • Alle Systeme in der Bereitstellungsarchitektur müssen mit der Zeitzone UTC konfiguriert sein.

Feed in Google Security Operations konfigurieren, um Jamf Protect-Protokolle aufzunehmen

Sie können entweder Amazon S3 oder einen Webhook verwenden, um einen Datenaufnahmefeed in Google Security Operations einzurichten, wir empfehlen jedoch die Verwendung von Amazon S3.

Datenaufnahmefeed mit Amazon S3 einrichten

  1. Wählen Sie im Menü von Google Security Operations Settings (Einstellungen) aus und klicken Sie dann auf Feeds.
  2. Klicken Sie auf Add new (Neuen Eintrag hinzufügen).
  3. Wählen Sie Amazon S3 als Source Type (Quelltyp) aus.
  4. Wählen Sie als Logtyp die Option Jamf Protect-Benachrichtigungen aus, um einen Feed für Jamf Protect zu erstellen.
  5. Klicken Sie auf Weiter.
  6. Speichern Sie den Feed und klicken Sie dann auf Senden.
  7. Kopieren Sie die Feed-ID aus dem Feednamen, um sie in Jamf Protect zu verwenden.

Datenaufnahmefeed mit einem Webhook einrichten

  1. Wählen Sie im Menü „Google Security Operations“ die Option Einstellungen und dann Feeds aus.
  2. Klicken Sie auf Neu hinzufügen.
  3. Geben Sie im Feld Feedname einen Namen für den Feed ein.
  4. Wählen Sie in der Liste Source Type (Quelltyp) die Option Webhook aus.
  5. Wählen Sie als Logtyp die Option Jamf Protect-Benachrichtigungen aus, um einen Feed für Jamf Protect zu erstellen.
  6. Klicken Sie auf Weiter.
  7. Optional: Geben Sie Werte für die folgenden Eingabeparameter an:
    • Trennzeichen für die Aufteilung: Das Trennzeichen, mit dem Logzeilen getrennt werden, z. B. \n.
    • Asset-Namespace: Der Asset-Namespace.
    • Aufnahmelabels: Das Label, das auf die Ereignisse aus diesem Feed angewendet werden soll.
  8. Klicken Sie auf Weiter.
  9. Prüfen Sie die neue Feedkonfiguration auf dem Bildschirm Abschließen und klicken Sie dann auf Senden.
  10. Klicken Sie auf Secret-Schlüssel generieren, um einen Secret-Schlüssel zur Authentifizierung dieses Feeds zu generieren.
  11. Kopieren und speichern Sie den geheimen Schlüssel, da Sie dieses Secret nicht mehr aufrufen können. Sie können einen neuen geheimen Schlüssel generieren. Durch die Neugenerierung des geheimen Schlüssels wird der vorherige geheime Schlüssel jedoch ungültig.
  12. Kopieren Sie auf dem Tab Details die Feed-Endpunkt-URL aus dem Feld Endpunktinformationen. Sie müssen diese Endpunkt-URL in der Jamf Protect Alerts-Anwendung angeben.
  13. Klicken Sie auf Fertig.
  14. Geben Sie die Endpunkt-URL in Jamf Protect an.

Weitere Informationen zu Google Security Operations-Feeds finden Sie in der Dokumentation zu Google Security Operations-Feeds. Informationen zu den Anforderungen für die einzelnen Feedtypen finden Sie unter Feedkonfiguration nach Typ.

Wenn beim Erstellen von Feeds Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.

Unterstützte Jamf Protect-Protokolltypen

In der folgenden Tabelle sind die Logtypen aufgeführt, die vom Jamf Protect-Parser unterstützt werden:

Ereignistyp Anzeigename
GPClickEvent Synthetische Klickereignisse
GPDownloadEvent Ereignisse herunterladen
GPFSEvent Dateisystemereignisse
GPGatekeeperEvent Gatekeeper-Ereignisse
GPKeylogRegisterEvent Keylogger-Ereignisse
GPMRTEvent Ereignisse überwachen
GPPreventedExecutionEvent Ereignisse für benutzerdefinierte Listen
GPProcessEvent Ereignisse verarbeiten
GPThreatMatchExecEvent Ereignisse zur Schutz vor Bedrohungen
GPUSBEvent USB-Ereignisse
GPUnifiedLogEvent Unified Log Events
Auth-Bereitstellung Ereignisse für die Gerätesteuerung

Feldzuordnungsreferenz

In diesem Abschnitt wird beschrieben, wie der Google Security Operations-Parser Jamf Protect-Felder den Feldern des Unified Data Model (UDM) von Google Security Operations zuordnet.

Feldzuordnungsreferenz: Ereignis-ID zu Ereignistyp

In der folgenden Tabelle sind die JAMF_PROTECT-Protokolltypen und die zugehörigen UDM-Ereignistypen aufgeführt.

Event Identifier Event Type
GPClickEvent SCAN_UNCATEGORIZED
GPDownloadEvent SCAN_FILE
GPFSEvent SCAN_FILE
GPGatekeeperEvent SCAN_UNCATEGORIZED
GPKeylogRegisterEvent SCAN_UNCATEGORIZED
GPMRTEvent SCAN_UNCATEGORIZED
GPPreventedExecutionEvent SCAN_UNCATEGORIZED
GPProcessEvent SCAN_PROCESS
GPThreatMatchExecEvent SCAN_UNCATEGORIZED
GPUSBEvent SCAN_UNCATEGORIZED
GPUnifiedLogEvent SCAN_UNCATEGORIZED
Auth-mount SCAN_UNCATEGORIZED

Referenz für die Feldzuordnung: JAMF_PROTECT

In der folgenden Tabelle sind die Protokollfelder des JAMF_PROTECT-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.
Log field UDM mapping Logic
about.platform The about.platform UDM field is set to MAC.
caid about.labels[caid] (deprecated)
caid additional.fields[caid]
certid principal.asset.attribute.labels [certid]
context.identity.claims.certid principal.user.attribute.permissions.description
context.identity.claims.clientid principal.user.attribute.labels [context_identity_claims_clientid]
input.eventType metadata.product_event_type
input.host.hostname principal.hostname
input.host.ips principal.ip
input.host.provisioningUDID principal.asset.product_object_id
input.host.serial principal.asset.hardware.serial_number
input.match.actions.name security_result.outcomes [input_match_actions_name]
input.match.actions.parameters.message security_result.summary If the index value is equal to 0, then the input.match.actions.parameters.message log field is mapped to the security_result.summary UDM field.

Else, the input.match.actions.parameters.message log field is mapped to the security_result.detection_fields.value UDM field.
input.match.actions.parameters.title security_result.description If the index value is equal to 0, then the input.match.actions.parameters.title log field is mapped to the security_result.description UDM field.

Else, the input.match.actions.parameters.title log field is mapped to the security_result.detection_fields.value UDM field.
input.match.context.name security_result.detection_fields.key
input.match.context.value security_result.detection_fields.value [Name]
input.match.context.valueType
input.match.custom security_result.detection_fields [input_match_custom]
input.match.event.blocked security_result.action If the input.match.event.blocked log field value is not empty, then the security_result.action UDM field is set to BLOCK.
context.identity.claims.hd, input.match.uuid security_result.url_back_to_product The security_result.url_back_to_product UDM field is set to https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid.
input.match.event.category security_result.category_details
input.match.event.clickType principal.labels[input_match_event_click_type] (deprecated) If the input.match.event.clickType log field value is equal to 0, then the principal.labels.value UDM field is set to 0 - Other.

Else, if the input.match.event.clickType log field value is equal to 1, then the principal.labels.value UDM field is set to 1 - Left Down.

Else, if the input.match.event.clickType log field value is equal to 2, then the principal.labels.value UDM field is set to 2 - Left Up.

Else, if the input.match.event.clickType log field value is equal to 3, then the principal.labels.value UDM field is set to 3 - Right Down.

Else, if the input.match.event.clickType log field value is equal to 4, then the principal.labels.value UDM field is set to 4 - Right Up.
input.match.event.clickType additional.fields[input_match_event_click_type] If the input.match.event.clickType log field value is equal to 0, then the additional.fields.value.string_value UDM field is set to 0 - Other.

Else, if the input.match.event.clickType log field value is equal to 1, then the additional.fields.value.string_value UDM field is set to 1 - Left Down.

Else, if the input.match.event.clickType log field value is equal to 2, then the additional.fields.value.string_value UDM field is set to 2 - Left Up.

Else, if the input.match.event.clickType log field value is equal to 3, then the additional.fields.value.string_value UDM field is set to 3 - Right Down.

Else, if the input.match.event.clickType log field value is equal to 4, then the additional.fields.value.string_value UDM field is set to 4 - Right Up.
input.match.event.composedMessage principal.labels[input_match_event_composed_message] (deprecated)
input.match.event.composedMessage additional.fields[input_match_event_composed_message]
input.match.event.dev principal.labels[input_match_event_dev] (deprecated)
input.match.event.dev additional.fields[input_match_event_dev]
input.match.event.eventID principal.labels[input_match_event_eventID] (deprecated)
input.match.event.eventID additional.fields[input_match_event_eventID]
input.match.event.gid principal.user.group_identifiers
input.match.event.iNode target.file.stat_inode
input.match.event.matchType principal.labels[input_match_event_match_type] (deprecated)
input.match.event.matchType additional.fields[input_match_event_match_type]
input.match.event.matchValue security_result.threat_name If the input.match.event.matchType log field value is not empty, then the input.match.event.matchValue log field is mapped to the security_result.threat_name UDM field.
input.match.event.name about.labels[input_match_event_name] (deprecated)
input.match.event.name additional.fields[input_match_event_name]
input.match.facts.name metadata.description If the index value is equal to 0, then the input.match.facts.name log field is mapped to the metadata.description UDM field.
input.match.event.path target.process.file.full_path
input.match.event.pid principal.process.pid
input.match.event.prevFile src.file.full_path If the input.match.event.prevFile log field value is not empty, then the input.match.event.prevFile log field is mapped to the src.file.full_path UDM field.
input.match.event.process principal.process.file.names
input.match.event.process.args target.process.command_line_history
input.match.event.process.gid target.group.product_object_id
input.match.event.process.name target.process.file.names
input.match.event.process.originalParentPID target.process.parent_process.pid
input.match.event.process.path target.process.file.full_path
input.match.event.process.pgid target.labels[input_match_event_processes_pgid] (deprecated)
input.match.event.process.pgid additional.fields[input_match_event_processes_pgid]
input.match.event.process.pid target.process.pid
input.match.event.process.ppid target.labels[input_match_event_process_ppid] (deprecated)
input.match.event.process.ppid additional.fields[input_match_event_process_ppid]
input.match.event.process.responsiblePID target.labels[input_match_event_process_responsible_pid] (deprecated)
input.match.event.process.responsiblePID additional.fields[input_match_event_process_responsible_pid]
input.match.event.process.rgid target.labels[input_match_event_process_rgid] (deprecated)
input.match.event.process.rgid additional.fields[input_match_event_process_rgid]
input.match.event.process.ruid target.labels[input_match_event_process_ruid] (deprecated)
input.match.event.process.ruid additional.fields[input_match_event_process_ruid]
input.match.event.process.signingInfo.appid target.user.attribute.labels [input_match_event_process_sign_appid]
input.match.event.process.signingInfo.authorities target.user.attribute.permissions
input.match.event.process.signingInfo.cdhash target.user.attribute.labels [input_match_event_process_sign_cdhash]
input.match.event.process.signingInfo.entitlements target.user.attributes.permissions
input.match.event.process.signingInfo.signerType target.user.attribute.labels [input_match_event_process_sign_signer_type] If the input.related.process.signingInfo.signerType log field value is equal to 0, then the target.user.attribute.labels.value UDM field is set to 0 - Apple.

Else, if the input.related.process.signingInfo.signerType log field value is equal to 1, then the target.user.attribute.labels.value UDM field is set to 1 - App Store.

Else, if the input.related.process.signingInfo.signerType log field value is equal to 2, then the target.user.attribute.labels.value UDM field is set to 2 - Developer.

Else, if the input.related.process.signingInfo.signerType log field value is equal to 3, then the target.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.

Else, if the input.related.process.signingInfo.signerType log field value is equal to 4, then the target.user.attribute.labels.value UDM field is set to 4 - Unsigned.
input.match.event.process.signingInfo.status target.user.attribute.labels [input_match_event_process_sign_status]
input.match.event.process.signingInfo.statusMessage target.labels[input_match_event_process_sign_status_message] (deprecated)
input.match.event.process.signingInfo.statusMessage additional.fields[input_match_event_process_sign_status_message]
input.match.event.process.signingInfo.teamid target.user.group_identifiers
input.match.event.process.startTimestamp target.labels[input_match_event_process_start_time_stamp] (deprecated)
input.match.event.process.startTimestamp additional.fields[input_match_event_process_start_time_stamp]
input.match.event.process.uid target.labels[input_match_event_process_uid] (deprecated)
input.match.event.process.uid additional.fields[input_match_event_process_uid]
input.match.event.process.uuid target.process.product_specific_process_id The Process Uuid: input.match.event.process.uuid log field is mapped to the target.process.product_specific_process_id UDM field.
input.match.event.processIdentifier target.process.pid
input.match.event.processImagePath target.process.file.full_path
input.match.event.rateLimitingSecs principal.labels[input_match_event_rate_limiting_secs] (deprecated)
input.match.event.rateLimitingSecs additional.fields[input_match_event_rate_limiting_secs]
input.match.event.scriptPath principal.labels[input_match_event_script_path] (deprecated)
input.match.event.scriptPath additional.fields[input_match_event_script_path]
input.match.event.sender principal.labels[input_match_event_sender] (deprecated)
input.match.event.sender additional.fields[input_match_event_sender]
input.match.event.senderImagePath principal.labels[input_match_event_sender_image_path] (deprecated)
input.match.event.senderImagePath additional.fields[input_match_event_sender_image_path]
input.match.event.subsystem principal.labels[input_match_event_subsystem] (deprecated)
input.match.event.subsystem additional.fields[input_match_event_subsystem]
input.match.event.subType principal.labels[input_match_event_sub_type] (deprecated) If the input.match.event.subType log field value is equal to 7, then the principal.labels.value UDM field is set to 7 - Exec.

Else, if the input.match.event.subType log field value is equal to 2, then the principal.labels.value UDM field is set to 2 - Fork.

Else, if the input.match.event.subType log field value is equal to 1, then the principal.labels.value UDM field is set to 1 - Exit.

Else, if the input.match.event.subType log field value is equal to 23, then the principal.labels.value UDM field is set to 23 - Execve.

Else, if the input.match.event.subType log field value is equal to 43190, then the principal.labels.value UDM field is set to 43190 - Posix Spawn.
input.match.event.subType additional.fields[input_match_event_sub_type] If the input.match.event.subType log field value is equal to 7, then the additional.fields.value.string_value UDM field is set to 7 - Exec.

Else, if the input.match.event.subType log field value is equal to 2, then the additional.fields.value.string_value UDM field is set to 2 - Fork.

Else, if the input.match.event.subType log field value is equal to 1, then the additional.fields.value.string_value UDM field is set to 1 - Exit.

Else, if the input.match.event.subType log field value is equal to 23, then the additional.fields.value.string_value UDM field is set to 23 - Execve.

Else, if the input.match.event.subType log field value is equal to 43190, then the additional.fields.value.string_value UDM field is set to 43190 - Posix Spawn.
input.match.event.tags security_result.rule_labels [input_match_event_tags]
input.match.event.targetpid target.process.pid
input.match.event.timestamp metadata.event_timestamp
input.match.event.type target.labels[input_match_event_type] (deprecated) If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0, then the target.labels.value UDM field is set to 0 - Created.

Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1, then the target.labels.value UDM field is set to 1 - Deleted.

Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3, then the target.labels.value UDM field is set to 3 - Renamed.

Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4, then the target.labels.value UDM field is set to 4 - Modified.

Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7, then the target.labels.value UDM field is set to 7 - Created Dir.

Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0, then the target.labels.value UDM field is set to 0 - None.

Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1, then the target.labels.value UDM field is set to 1 - Create.

Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2, then the target.labels.value UDM field is set to 0 - Exit.
input.match.event.type additional.fields[input_match_event_type] If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0, then the additional.fields.value.string_value UDM field is set to 0 - Created.

Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1, then the additional.fields.value.string_value UDM field is set to 1 - Deleted.

Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3, then the additional.fields.value.string_value UDM field is set to 3 - Renamed.

Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4, then the additional.fields.value.string_value UDM field is set to 4 - Modified.

Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7, then the additional.fields.value.string_value UDM field is set to 7 - Created Dir.

Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0, then the additional.fields.value.string_value UDM field is set to 0 - None.

Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1, then the additional.fields.value.string_value UDM field is set to 1 - Create.

Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2, then the additional.fields.value.string_value UDM field is set to 0 - Exit.
input.match.event.uid principal.user.userid
input.match.event.uuid about.labels[input_match_event_uuid] (deprecated)
input.match.event.uuid additional.fields[input_match_event_uuid]
input.match.facts.actions.name security_result.action_details If the index value is equal to 0, then the input.match.facts.actions.name log field is mapped to the security_result.action_details UDM field.

Else, the input.match.facts.actions.name log field is mapped to the security_result.about.labels.value UDM field.
input.match.facts.actions.parameters.id security_result.detection_fields [input_match_facts_actions_parameters_id]
input.match.facts.actions.parameters.message security_result.detection_fields [input_match_facts_actions_parameters_message]
input.match.facts.actions.parameters.title security_result.detection_fields [input_match_facts_actions_parameters_title]
input.match.facts.context.name security_result.detection_fields.key
input.match.facts.context.value security_result.detection_fields.value [Name]
input.match.facts.context.valueType
input.match.facts.human security_result.action If the input.match.facts.human log field value is matched with regex (?i)blocked, then the security_result.action UDM field is set to BLOCK.
input.match.facts.human security_result.description If the index value is equal to 0, then the input.match.facts.human log field is mapped to the security_result.description UDM field.

Else, the input.match.facts.human log field is mapped to the security_result.detection_fields.value UDM field.
input.match.facts.name security_result.summary If the index value is equal to 0, then the input.match.facts.name log field is mapped to the security_result.summary UDM field.

Else, the input.match.facts.name log field is mapped to the security_result.detection_fields.value UDM field.
input.match.facts.severity security_result.detection_fields [input_match_facts_severity]
input.match.facts.tags security_result.rule_labels [input_match_facts_tags]
input.match.facts.uuid about.labels [input_match_facts_uuid]
input.match.facts.version about.labels [input_match_facts_version]
input.match.severity security_result.severity If the severity log field value is equal to 0, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the severity log field value is equal to 1, then the security_result.severity UDM field is set to LOW.

Else, if the severity log field value is equal to 2, then the security_result.severity UDM field is set to MEDIUM.

Else, if the severity log field value is equal to 3, then the security_result.severity UDM field is set to HIGH.
input.match.tags security_result.rule_labels [input_match_tags]
input.match.uuid metadata.product_log_id
input.related.binaries.accessed security_result.about.labels [input_related_binaries_accessed]
input.related.binaries.changed security_result.about.labels [input_related_binaries_changed]
input.related.binaries.created security_result.about.file.first_seen_time If the index value is equal to 0, then the input.related.binaries.created log field is mapped to the security_result.about.file.first_seen_time UDM field.

Else, the input.related.binaries.created log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.fsid security_result.about.labels [input_related_binaries_fsid]
input.related.binaries.gid security_result.about.labels [input_related_binaries_gid]
input.related.binaries.inode security_result.about.file.stat_inode If the index value is equal to 0, then the input.related.binaries.inode log field is mapped to the security_result.about.file.stat_inode UDM field.

Else, the input.related.binaries.inode log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.isAppBundle security_result.about.labels [isAppBundle]
input.related.binaries.isDirectory security_result.about.labels [isDirectory]
input.related.binaries.isDownload security_result.about.labels [isDownload]
input.related.binaries.isScreenShot security_result.about.labels [isScreenShot]
input.related.binaries.mode security_result.about.file.stat_mode If the index value is equal to 0, then the input.related.binaries.mode log field is mapped to the security_result.about.file.stat_mode UDM field.

Else, the input.related.binaries.mode log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.modified security_result.about.file.last_modification_time If the index value is equal to 0, then the input.related.binaries.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.

Else, the input.related.binaries.modified log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.path security_result.about.file.full_path If the index value is equal to 0, then the input.related.binaries.path log field is mapped to the security_result.about.file.full_path UDM field.

Else, the input.related.binaries.path log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.sha1hex security_result.about.file.sha1 If the index value is equal to 0, then the input.related.binaries.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.

Else, the input.related.binaries.sha1hex log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.sha256hex security_result.about.file.sha256 If the index value is equal to 0, then the input.related.binaries.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.

Else, the input.related.binaries.sha256hex log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.signingInfo.appid security_result.about.application If the index value is equal to 0, then the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.application UDM field.

Else, the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.signingInfo.authorities security_result.about.user.attribute.permissions
input.related.binaries.signingInfo.cdhash security_result.about.labels [input_related_binaries_sign_cdhash]
input.related.binaries.signingInfo.entitlements security_result.about.user.attribute.permisisons
input.related.binaries.signingInfo.signerType security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type] If the input.related.binaries.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.

Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.

Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.

Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.

Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned.
input.related.binaries.signingInfo.status security_result.about.user.attribute.labels [input_related_binaries_sign_status]
input.related.binaries.signingInfo.statusMessage security_result.about.user.attribute.labels [input_related_processes_sign_status_message]
input.related.binaries.signingInfo.teamid security_result.about.user.group_identifiers If the index value is equal to 0, then the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.

Else, the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field.
input.related.binaries.size security_result.about.file.size If the index value is equal to 0, then the input.related.binaries.size log field is mapped to the security_result.about.file.size UDM field.

Else, the input.related.binaries.size log field is mapped to the security_result.about.labels.value UDM field.
input.related.binaries.uid security_result.about.user.userid If the index value is equal to 0, then the input.related.binaries.uid log field is mapped to the security_result.about.user.userid UDM field.

Else, the input.related.binaries.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field.
input.related.binaries.xattrs security_result.about.user.attribute.labels [input_related_binaries_xattrs]
input.related.files.accessed security_result.about.labels [input_related_files_accessed]
input.related.files.changed security_result.about.labels [input_related_files_changed]
input.related.files.created security_result.about.labels [input_related_files_created]
input.related.files.downloadedFrom security_result.about.labels [input_related_files_downloaded_from]
input.related.files.fsid security_result.about.labels [input_related_files_downloaded_fsid]
input.related.files.gid security_result.about.group.product_object_id If the index value is equal to 0, then the input.related.files.gid log field is mapped to the security_result.about.group.product_object_id UDM field.

Else, the input.related.files.gid log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.inode security_result.about.file.stat_inode If the index value is equal to 0, then the input.related.files.inode log field is mapped to the security_result.about.file.stat_inode UDM field.

Else, the input.related.files.inode log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.isAppBundle security_result.about.labels [input_related_files_downloaded_is_app_bundle]
input.related.files.isDirectory security_result.about.labels [input_related_files_is_directory]
input.related.files.isDownload security_result.about.labels [input_related_files_is_download]
input.related.files.isScreenShot security_result.about.labels [input_related_files_is_screenshot]
input.related.files.mode security_result.about.file.stat_mode If the index value is equal to 0, then the input.related.files.mode log field is mapped to the security_result.about.file.stat_mode UDM field.

Else, the input.related.files.mode log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.modified security_result.about.file.last_modification_time If the index value is equal to 0, then the input.related.files.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.

Else, the input.related.files.modified log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.path security_result.about.file.full_path If the index value is equal to 0, then the input.related.files.path log field is mapped to the security_result.about.file.full_path UDM field.

Else, the input.related.files.path log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.sha1hex security_result.about.file.sha1 If the index value is equal to 0, then the input.related.files.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.

Else, the input.related.files.sha1hex log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.sha256hex security_result.about.file.sha256 If the index value is equal to 0, then the input.related.files.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.

Else, the input.related.files.sha256hex log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.signingInfo.appid security_result.about.application If the index value is equal to 0, then the input.related.files.signingInfo.appid log field is mapped to the security_result.about.application UDM field.

Else, the input.related.files.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.signingInfo.authorities security_result.about.user.attribute.permissions
input.related.files.signingInfo.cdhash security_result.about.labels [[input_related_files_sign_cdhash]
input.related.files.signingInfo.entitlements security_result.about.user.attribute.permissions
input.related.files.signingInfo.signerType security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type] If the input.related.files.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.

Else, if the input.related.files.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.

Else, if the input.related.files.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.

Else, if the input.related.files.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.

Else, if the input.related.files.signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned.
input.related.files.signingInfo.status security_result.about.user.attribute.labels [input_related_files_signing_info_status]
input.related.files.signingInfo.statusMessage security_result.about.user.attribute.labels [input_related_files_signing_info_status_message]
input.related.files.signingInfo.teamid security_result.about.user.group_identifiers If the index value is equal to 0, then the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.

Else, the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field.
input.related.files.size security_result.about.file.size If the index value is equal to 0, then if the input.related.files.size log field value is not equal to 0, then the input.related.files.size log field is mapped to the security_result.about.file.size UDM field.

Else, the input.related.files.size log field is mapped to the security_result.about.labels.value UDM field.
input.related.files.uid security_result.about.user.userid If the index value is equal to 0, then the input.related.files.uid log field is mapped to the security_result.about.user.userid UDM field.

Else, the input.related.files.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field.
input.related.files.xattrs security_result.about.labels [input_related_files_xattrs]
input.related.groups.gid security_result.about.group.attribute.labels [input_related_groups_gid]
input.related.groups.name security_result.about.group.group_display_name If the index value is equal to 0, then the input.related.groups.name log field is mapped to the security_result.about.group.group_display_name UDM field.

Else, the input.related.groups.name log field is mapped to the security_result.about.group.attribute.labels.value UDM field.
input.related.groups.uuid security_result.about.group.product_object_id If the index value is equal to 0, then the input.related.groups.uuid log field is mapped to the security_result.about.group.product_object_id UDM field.

Else, the input.related.groups.uuid log field is mapped to the security_result.about.group.attribute.labels.value UDM field.
input.related.processes.appPath security_result.about.labels [input_related_processes_app_path]
input.related.processes.args security_result.about.process.command_line_history
input.related.processes.exitCode security_result.about.labels [input_related_processes_exit_code]
input.related.processes.gid security_result.about.group.product_object_id If the index value is equal to 0, then the input.related.processes.gid log field is mapped to the security_result.about.group.product_object_id UDM field.

Else, the input.related.processes.gid log field is mapped to the security_result.about.labels.value UDM field.
input.related.processes.name security_result.about.process.file.names
input.related.processes.originalParentPID security_result.about.process.parent_process.pid If the index value is equal to 0, then the input.related.processes.originalParentPID log field is mapped to the security_result.about.process.parent_process.pid UDM field.

Else, the input.related.processes.originalParentPID log field is mapped to the security_result.about.labels.value UDM field.
input.related.processes.path security_result.about.process.file.full_path If the index value is equal to 0, then the input.related.processes.path log field is mapped to the security_result.about.process.file.full_path UDM field.

Else, the input.related.processes.path log field is mapped to the security_result.about.labels.value UDM field.
input.related.processes.pgid security_result.about.labels [input_related_process_pgid]
input.related.processes.pid security_result.about.process.pid If the index value is equal to 0, then the input.related.processes.pid log field is mapped to the security_result.about.process.pid UDM field.

Else, the input.related.processes.pid log field is mapped to the security_result.about.labels.value UDM field.
input.related.processes.ppid security_result.about.labels [input_related_processes_ppid]
input.related.processes.responsiblePID security_result.about.labels [input_related_processes_responsible_pid]
input.related.processes.rgid security_result.about.labels [input_related_processes_rgid]
input.related.processes.ruid security_result.about.labels [input_related_processes_ruid]
input.related.processes.signingInfo.appid security_result.about.application If the index value is equal to 0, then the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.application UDM field.

Else, the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field.
input.related.processes.signingInfo.authorities security_result.about.user.attributes.permission
input.related.processes.signingInfo.cdhash security_result.about.user.attribute.labels [input_related_processes_sign_cdhash]
input.related.processes.signingInfo.entitlements security_result.about.user.attributes.permission
input.related.processes.signingInfo.signerType security_result.about.user.attribute.labels [input_related_processes_sign_signer_type] If the input.related.processes.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.

Else, if the input.related.processes.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.

Else, if the input.related.processes.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.

Else, if the input.related.processes.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.

Else, if the input.related.processes .signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned.
input.related.processes.signingInfo.status security_result.about.user.attribute.labels [input_related_processes_sign_status]
input.related.processes.signingInfo.statusMessage security_result.about.user.attribute.labels [input_related_processes_sign_status_message]
input.related.processes.signingInfo.teamid security_result.about.user.group_identifiers If the index value is equal to 0, then the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.

Else, the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.labels.value UDM field.
input.related.processes.startTimestamp security_result.about.labels [input_related_processes_start_time_stamp]
input.related.processes.tty security_result.about.labels [input_related_processes_tty]
input.related.processes.uid security_result.about.user.userid If the index value is equal to 0, then the input.related.processes.uid log field is mapped to the security_result.about.user.userid UDM field.

Else, the input.related.processes.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field.
input.related.processes.uuid security_result.about.process.product_specific_process_id If the index value is equal to 0, then the Process Uuid: input.related.processes.uuid log field is mapped to the security_result.about.process.product_specific_process_id UDM field.

Else, the input.related.processes.uuid log field is mapped to the security_result.about.labels.value UDM field.
input.related.users.name security_result.about.user.user_display_name If the index value is equal to 0, then the input.related.users.name log field is mapped to the security_result.about.user.user_display_name UDM field.

Else, the input.related.users.name log field is mapped to the security_result.about.user.attribute.labels.value UDM field.
input.related.users.uid security_result.about.user.userid If the index value is equal to 0, then the input.related.users.uid log field is mapped to the security_result.about.user.userid UDM field.

Else, the input.related.users.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field.
input.related.users.uuid security_result.about.user.product_object_id If the index value is equal to 0, then the input.related.users.uuid log field is mapped to the security_result.about.user.product_object_id UDM field.

Else, the input.related.users.uuid log field is mapped to the security_result.about.user.attribute.labels.value UDM field.
key about.labels[key] (deprecated)
key additional.fields[key]
path target.file.full_path If the index value is equal to 0, then the path log field is mapped to the target.file.full_path UDM field.

Else, the path log field is mapped to the target.labels.value UDM field.
queue principal.labels[queue] (deprecated)
queue additional.fields[queue]
region principal.location.name
timestamp metadata.creation_timestamp
topic about.labels[topic] (deprecated)
topic additional.fields[topic]
topicType about.labels[topicType] (deprecated)
topicType additional.fields[topicType]
version metadata.product_version
is_alert The is_alert UDM field is set to TRUE.
is_significant The is_significant UDM field is set to TRUE.
input.eventType metadata.event_type
metadata.product_name The metadata.product_name UDM field is set to JAMF_PROTECT.
metadata.vendor_name The metadata.vendor_name UDM field is set to JAMF.
principal.resource.resource_type The principal.resource.resource_type UDM field is set to STORAGE_BUCKET.
target.resource.resource_type The target.resource.resource_type UDM field is set to STORAGE_BUCKET.
input.match.event.options about.labels[input_match_event_options] (deprecated)
input.match.event.options additional.fields[input_match_event_options]
input.match.event.sourcePID principal.process.pid
input.match.event.destinationPID target.process.pid
image.match.event.detection security_result.detection_fields [image_match_event_detection]
input.match.type target.asset.attribute.labels [input_match_type] If the input.match.type log field value is equal to 0, then the target.asset.attribute.labels.value UDM field is set to 0 - Device Inserted.

Else, if the input.match.type log field value is equal to 1, then the target.asset.attribute.labels.value UDM field is set to 1 - Device Removed.
input.match.usbAddress target.asset.attribute.labels [input_match_usb_address]
input.match.event.device.mediaPath target.asset.attribute.labels [input_match_device_media_path]
input.match.event.device.protocol target.asset.attribute.labels [input_match_device_protocol]
input.match.event.device.deviceModel target.asset.hardware.model
input.match.event.device.isRemovable target.asset.attribute.labels [input_match_device_is_removable]
input.match.event.device.mediaName target.asset.attribute.labels [input_match_device_media_name]
input.match.event.device.bsdMinor target.asset.attribute.labels [input_match_device_bsd_minor]
input.match.event.device.vendorName target.asset.software.vendor_name
input.match.event.device.isWhole target.asset.attribute.labels [input_match_device_is_whole]
input.match.event.device.unit target.asset.attribute.labels [input_match_device_unit]
input.match.event.device.deviceSubclass target.asset.attribute.labels [input_match_device_subclass]
input.match.event.device.serialNumber target.asset.hardware.serial
input.match.event.device.bsdUnit target.asset.attribute.labels [input_match_device_bsd_unit]
input.match.event.device.busPath target.asset.attribute.labels [input_match_device_bus_path]
input.match.event.device.isLeaf target.asset.attribute.labels [input_match_device_is_leaf]
input.match.event.device.isInternal target.asset.attribute.labels [input_match_device_is_internal]
input.match.event.device.busName target.asset.attribute.labels [input_match_device_bus_name]
input.match.event.device.bsdMajor target.asset.attribute.labels [input_match_device_bsd_major]
input.match.event.device.isEjectable target.asset.attribute.labels [input_match_device_is_ejectable]
input.match.event.device.isEncrypted target.asset.attribute.labels [input_match_device_is_encrypted]
input.match.event.device.isEncryptable target.asset.attribute.labels [input_match_device_is_encryptable]
input.match.event.device.devicePath target.asset.attribute.labels [input_match_device_path]
input.match.event.device.bsdName target.asset.attribute.labels [input_match_device_bsd_name]
input.match.event.device.vendorId target.asset.attribute.labels [input_match_device_vendor_id]
input.match.event.device.content target.asset.attribute.labels [input_match_device_content]
input.match.event.device.revision target.asset.attribute.labels [input_match_device_revision]
input.match.event.device.size target.asset.attribute.labels [input_match_device_size]
input.match.event.device.isNetworkVolume target.asset.attribute.labels [input_match_device_is_network_volume]
input.match.event.device.blocksize target.asset.attribute.labels [input_match_device_block_size]
input.match.event.device.productName target.asset.attribute.labels [input_match_device_product_name]
input.match.event.device.mediaKind target.asset.attribute.labels [input_match_device_media_kind]
input.match.event.device.isWritable target.asset.attribute.labels [input_match_device_is_writable]
input.match.event.device.productId target.asset.product_object_id
input.match.event.device.productId target.asset.asset_id The Asset Id: input.match.event.device.productId log field is mapped to the target.asset.asset_id UDM field.
input.match.event.device.deviceClass target.asset.category
input.match.event.device.encryptionDetail target.asset.attribute.labels [input_match_device_encryption_detail]
input.match.event.device.volumeKind target.asset.attribute.labels [input_match_event_device_volume_kind]
input.match.event.device.volumeName target.asset.attribute.labels [input_match_event_device_volume_name]
input.match.event.device.volumeType target.asset.attribute.labels [input_match_event_device_volume_type]
input.match.event.device.isMountable target.asset.attribute.labels [input_match_event_device_is_mountable]
input.match.event.device.encryptionDetail target.asset.attribute.labels [input_match_event_device_encryption_detail]
input.match.event.fsid principal.labels [input_match_event_fsid]
input.match.event.bfree principal.labels[input_match_event_bfree] (deprecated)
input.match.event.bfree additional.fields[input_match_event_bfree]
input.match.event.bsize principal.labels[input_match_event_bsize] (deprecated)
input.match.event.bsize additional.fields[input_match_event_bsize]
input.match.event.ffree principal.labels[input_match_event_ffree] (deprecated)
input.match.event.ffree additional.fields[input_match_event_ffree]
input.match.event.files principal.labels[input_match_event_files] (deprecated)
input.match.event.files additional.fields[input_match_event_files]
input.match.event.flags principal.labels[input_match_event_flags] (deprecated)
input.match.event.flags additional.fields[input_match_event_flags]
input.match.event.owner principal.user.user_display_name
input.match.event.bavail principal.labels[input_match_event_bvail] (deprecated)
input.match.event.bavail additional.fields[input_match_event_bvail]
input.match.event.blocks principal.labels[input_match_event_blocks] (deprecated)
input.match.event.blocks additional.fields[input_match_event_blocks]
input.match.event.iosize principal.labels[input_match_event_iosize] (deprecated)
input.match.event.iosize additional.fields[input_match_event_iosize]
input.match.event.version principal.labels[input_match_event_version] (deprecated)
input.match.event.version additional.fields[input_match_event_version]
input.match.event.deadline principal.labels[input_match_event_deadline] (deprecated)
input.match.event.deadline additional.fields[input_match_event_deadline]
input.match.event.flagsExt principal.labels[input_match_event_flags_ext] (deprecated)
input.match.event.flagsExt additional.fields[input_match_event_flags_ext]
input.match.event.fsSubType principal.labels[input_match_event_fs_subtype] (deprecated)
input.match.event.fsSubType additional.fields[input_match_event_fs_subtype]
input.match.event.mntOnName principal.labels[input_match_event_mnt_on_name] (deprecated)
input.match.event.mntOnName additional.fields[input_match_event_mnt_on_name]
input.match.event.fsTypeName principal.labels[input_match_event_fs_type_name] (deprecated)
input.match.event.fsTypeName additional.fields[input_match_event_fs_type_name]
input.match.event.isReadOnly principal.labels[input_match_event_is_read_only] (deprecated)
input.match.event.isReadOnly additional.fields[input_match_event_is_read_only]
input.match.event.mntFromName principal.labels[input_match_event_mnt_from_name] (deprecated)
input.match.event.mntFromName additional.fields[input_match_event_mnt_from_name]
input.match.event.machTimestamp principal.labels[input_match_event_mach_timestamp] (deprecated)
input.match.event.machTimestamp additional.fields[input_match_event_mach_timestamp]
input.match.event.sequenceNumber principal.labels[input_match_event_seq_number] (deprecated)
input.match.event.sequenceNumber additional.fields[input_match_event_seq_number]
input.match.event.globalSequenceNumber principal.labels[input_match_event_global_seq_number] (deprecated)
input.match.event.globalSequenceNumber additional.fields[input_match_event_global_seq_number]

Nächste Schritte