Collecter les journaux Jamf Protect
Ce document explique comment collecter les journaux Jamf Protect en configurant un flux Google Security Operations, et comment les champs de journal correspondent aux champs du modèle de données unifié (UDM) de Google Security Operations. Ce document indique également la version de Jamf Protect compatible.
Pour en savoir plus, consultez Ingestion de données dans Google Security Operations.
Un déploiement typique consiste en Jamf Protect et le flux Google Security Operations configuré pour envoyer des journaux à Google Security Operations. Chaque déploiement client peut être différent et plus complexe.
Le déploiement contient les composants suivants:
Jamf Protect La plate-forme Jamf Protect à partir de laquelle vous collectez les journaux.
Flux Google Security Operations Flux Google Security Operations qui extrait les journaux de Jamf Protect et les écrit dans Google Security Operations.
Google Security Operations Google Security Operations conserve et analyse les journaux de Jamf Protect.
Un libellé d'ingestion identifie l'analyseur qui normalise les données de journal brutes au format UDM structuré. Les informations de ce document s'appliquent à l'analyseur avec le libellé d'ingestion JAMF_PROTECT
.
Avant de commencer
- Assurez-vous d'avoir configuré Jamf Protect.
- Assurez-vous d'utiliser la version 4.0.0 ou ultérieure de Jamf Protect.
- Assurez-vous que tous les systèmes de l'architecture de déploiement sont configurés avec le fuseau horaire UTC.
Configurer un flux dans Google Security Operations pour ingérer les journaux Jamf Protect
Vous pouvez utiliser Amazon S3 ou un webhook pour configurer un flux d'ingestion dans Google Security Operations, mais nous vous recommandons d'utiliser Amazon S3.
Configurer un flux d'ingestion dans Google SecOps à l'aide d'Amazon S3
- Accédez à Paramètres du SIEM > Flux.
- Cliquez sur Ajouter.
- Sélectionnez Amazon S3 comme Type de source.
- Pour créer un flux pour Jamf Protect, sélectionnez Jamf Protect comme Type de journal.
- Cliquez sur Suivant.
- Enregistrez le flux, puis cliquez sur Envoyer.
- Copiez l'ID de flux à partir du nom du flux à utiliser dans Jamf Protect.
Configurer un flux d'ingestion dans Google SecOps à l'aide d'un webhook
- Accédez à Paramètres du SIEM > Flux.
- Cliquez sur Ajouter.
- Dans le champ Nom du flux, saisissez un nom pour le flux.
- Dans la liste Type de source, sélectionnez Webhook.
- Pour créer un flux pour Jamf Protect, sélectionnez Jamf Protect comme Type de journal.
- Cliquez sur Suivant.
- Facultatif: spécifiez des valeurs pour les paramètres d'entrée suivants :
- Délimiteur de fractionnement: délimiteur utilisé pour séparer les lignes de journal, par exemple
\n
. - Espace de noms des éléments: espace de noms des éléments.
- Libellés d'ingestion: libellé à appliquer aux événements de ce flux.
- Délimiteur de fractionnement: délimiteur utilisé pour séparer les lignes de journal, par exemple
- Cliquez sur Suivant.
- Vérifiez la configuration de votre nouveau flux dans l'écran Finaliser, puis cliquez sur Envoyer.
- Cliquez sur Générer une clé secrète pour générer une clé secrète permettant d'authentifier ce flux.
- Copiez et stockez la clé secrète. Vous ne pourrez plus afficher cette clé secrète. Si nécessaire, vous pouvez générer une nouvelle clé secrète, mais cette action rend l'ancienne clé secrète obsolète.
- Dans l'onglet Détails, copiez l'URL du point de terminaison du flux dans le champ Informations sur le point de terminaison. Vous aurez besoin de cette URL HTTPS pour configurer votre application cliente Jamf Protect.
- Cliquez sur OK.
Créer une clé API pour un flux webhook
Accédez à la console Google Cloud > Identifiants.
Cliquez sur Créer des identifiants, puis sélectionnez Clé API.
Limitez l'accès de la clé API à l'API Google Security Operations.
Configurer Jamf Protect pour un flux de webhook
- Dans l'application Jamf Protect, accédez à la configuration d'action associée.
- Pour ajouter un point de terminaison de données, cliquez sur Créer des actions.
- Sélectionnez HTTP comme protocole.
- Saisissez l'URL HTTPS du point de terminaison de l'API Google Security Operations dans le champ URL. Il s'agit du champ Informations sur le point de terminaison que vous avez copié lors de la configuration du flux de webhook. Il est déjà au format requis.)
Activez l'authentification en spécifiant la clé API et la clé secrète dans l'en-tête personnalisé au format suivant:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRET
Recommandation: Spécifiez la clé API en tant qu'en-tête plutôt que dans l'URL. Si votre client webhook n'est pas compatible avec les en-têtes personnalisés, vous pouvez spécifier la clé API et la clé secrète à l'aide de paramètres de requête au format suivant:
ENDPOINT_URL?key=API_KEY&secret=SECRET
Remplacez les éléments suivants :
ENDPOINT_URL
: URL du point de terminaison du flux.API_KEY
: clé API permettant de s'authentifier auprès de Google Security Operations.SECRET
: clé secrète que vous avez générée pour authentifier le flux.
Dans la section Collect Logs (Collecter des journaux), sélectionnez Telemetry (Télémétrie).
Cliquez sur Envoyer.
Pour en savoir plus sur les flux Google Security Operations, consultez la documentation sur les flux Google Security Operations. Pour en savoir plus sur les exigences de chaque type de flux, consultez la section Configuration des flux par type.
Si vous rencontrez des problèmes lorsque vous créez des flux, contactez l'assistance Google Security Operations.
Types de journaux Jamf Protect compatibles
Le tableau suivant répertorie les types de journaux compatibles avec l'analyseur Jamf Protect:
Type d'événement | Nom à afficher |
---|---|
GPClickEvent | Événements de clic synthétiques |
GPDownloadEvent | Télécharger les événements |
GPFSEvent | Événements du système de fichiers |
GPGatekeeperEvent | Événements Gatekeeper |
GPKeylogRegisterEvent | Événements d'enregistreur de frappe |
GPMRTEvent | Surveiller les événements |
GPPreventedExecutionEvent | Événements de liste de blocage personnalisés |
GPProcessEvent | Traiter les événements |
GPThreatMatchExecEvent | Événements de prévention des menaces |
GPUSBEvent | Événements USB |
GPUnifiedLogEvent | Événements de journaux unifiés |
Auth-mount | Événements de commandes de l'appareil |
Référence de mappage de champs
Cette section explique comment l'analyseur Google Security Operations mappe les champs Jamf Protect aux champs du modèle de données unifié (UDM) de Google Security Operations.
Référence de mappage de champ: identifiant d'événement vers type d'événement
Le tableau suivant répertorie les types de journauxJAMF_PROTECT
et les types d'événements UDM correspondants.
Event Identifier | Event Type |
---|---|
GPClickEvent |
SCAN_UNCATEGORIZED |
GPDownloadEvent |
SCAN_FILE |
GPFSEvent |
SCAN_FILE |
GPGatekeeperEvent |
SCAN_UNCATEGORIZED |
GPKeylogRegisterEvent |
SCAN_UNCATEGORIZED |
GPMRTEvent |
SCAN_UNCATEGORIZED |
GPPreventedExecutionEvent |
SCAN_UNCATEGORIZED |
GPProcessEvent |
SCAN_PROCESS |
GPThreatMatchExecEvent |
SCAN_UNCATEGORIZED |
GPUSBEvent |
SCAN_UNCATEGORIZED |
GPUnifiedLogEvent |
SCAN_UNCATEGORIZED |
Auth-mount |
SCAN_UNCATEGORIZED |
Référence de mappage de champ: JAMF_PROTECT
Le tableau suivant répertorie les champs de journal du type de journalJAMF_PROTECT
et les champs UDM correspondants.
Log field | UDM mapping | Logic |
---|---|---|
|
about.platform |
The about.platform UDM field is set to MAC . |
caid |
about.labels[caid] (deprecated) |
|
caid |
additional.fields[caid] |
|
certid |
principal.asset.attribute.labels [certid] |
|
context.identity.claims.certid |
principal.user.attribute.permissions.description |
|
context.identity.claims.clientid |
principal.user.attribute.labels [context_identity_claims_clientid] |
|
input.eventType |
metadata.product_event_type |
|
input.host.hostname |
principal.hostname |
|
input.host.ips |
principal.ip |
|
input.host.provisioningUDID |
principal.asset.product_object_id |
|
input.host.serial |
principal.asset.hardware.serial_number |
|
input.match.actions.name |
security_result.outcomes [input_match_actions_name] |
|
input.match.actions.parameters.message |
security_result.summary |
If the index value is equal to 0 , then the input.match.actions.parameters.message log field is mapped to the security_result.summary UDM field.Else, the input.match.actions.parameters.message log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.actions.parameters.title |
security_result.description |
If the index value is equal to 0 , then the input.match.actions.parameters.title log field is mapped to the security_result.description UDM field.Else, the input.match.actions.parameters.title log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.context.name |
security_result.detection_fields.key |
|
input.match.context.value |
security_result.detection_fields.value [Name] |
|
input.match.context.valueType |
|
|
input.match.custom |
security_result.detection_fields [input_match_custom] |
|
input.match.event.blocked |
security_result.action |
If the input.match.event.blocked log field value is not empty, then the security_result.action UDM field is set to BLOCK . |
context.identity.claims.hd, input.match.uuid |
security_result.url_back_to_product |
The security_result.url_back_to_product UDM field is set to https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid . |
input.match.event.category |
security_result.category_details |
|
input.match.event.clickType |
principal.labels[input_match_event_click_type] (deprecated) |
If the input.match.event.clickType log field value is equal to 0 , then the principal.labels.value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the principal.labels.value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the principal.labels.value UDM field is set to 4 - Right Up . |
input.match.event.clickType |
additional.fields[input_match_event_click_type] |
If the input.match.event.clickType log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Other .Else, if the input.match.event.clickType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Left Down .Else, if the input.match.event.clickType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Left Up .Else, if the input.match.event.clickType log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Right Down .Else, if the input.match.event.clickType log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Right Up . |
input.match.event.composedMessage |
principal.labels[input_match_event_composed_message] (deprecated) |
|
input.match.event.composedMessage |
additional.fields[input_match_event_composed_message] |
|
input.match.event.dev |
principal.labels[input_match_event_dev] (deprecated) |
|
input.match.event.dev |
additional.fields[input_match_event_dev] |
|
input.match.event.eventID |
principal.labels[input_match_event_eventID] (deprecated) |
|
input.match.event.eventID |
additional.fields[input_match_event_eventID] |
|
input.match.event.gid |
principal.user.group_identifiers |
|
input.match.event.iNode |
target.file.stat_inode |
|
input.match.event.matchType |
principal.labels[input_match_event_match_type] (deprecated) |
|
input.match.event.matchType |
additional.fields[input_match_event_match_type] |
|
input.match.event.matchValue |
security_result.threat_name |
If the input.match.event.matchType log field value is not empty, then the input.match.event.matchValue log field is mapped to the security_result.threat_name UDM field. |
input.match.event.name |
about.labels[input_match_event_name] (deprecated) |
|
input.match.event.name |
additional.fields[input_match_event_name] |
|
input.match.facts.name |
metadata.description |
If the index value is equal to 0 , then the input.match.facts.name log field is mapped to the metadata.description UDM field. |
input.match.event.path |
target.process.file.full_path |
|
input.match.event.pid |
principal.process.pid |
|
input.match.event.prevFile |
src.file.full_path |
If the input.match.event.prevFile log field value is not empty, then the input.match.event.prevFile log field is mapped to the src.file.full_path UDM field. |
input.match.event.process |
principal.process.file.names |
|
input.match.event.process.args |
target.process.command_line_history |
|
input.match.event.process.gid |
target.group.product_object_id |
|
input.match.event.process.name |
target.process.file.names |
|
input.match.event.process.originalParentPID |
target.process.parent_process.pid |
|
input.match.event.process.path |
target.process.file.full_path |
|
input.match.event.process.pgid |
target.labels[input_match_event_processes_pgid] (deprecated) |
|
input.match.event.process.pgid |
additional.fields[input_match_event_processes_pgid] |
|
input.match.event.process.pid |
target.process.pid |
|
input.match.event.process.ppid |
target.labels[input_match_event_process_ppid] (deprecated) |
|
input.match.event.process.ppid |
additional.fields[input_match_event_process_ppid] |
|
input.match.event.process.responsiblePID |
target.labels[input_match_event_process_responsible_pid] (deprecated) |
|
input.match.event.process.responsiblePID |
additional.fields[input_match_event_process_responsible_pid] |
|
input.match.event.process.rgid |
target.labels[input_match_event_process_rgid] (deprecated) |
|
input.match.event.process.rgid |
additional.fields[input_match_event_process_rgid] |
|
input.match.event.process.ruid |
target.labels[input_match_event_process_ruid] (deprecated) |
|
input.match.event.process.ruid |
additional.fields[input_match_event_process_ruid] |
|
input.match.event.process.signingInfo.appid |
target.user.attribute.labels [input_match_event_process_sign_appid] |
|
input.match.event.process.signingInfo.authorities |
target.user.attribute.permissions |
|
input.match.event.process.signingInfo.cdhash |
target.user.attribute.labels [input_match_event_process_sign_cdhash] |
|
input.match.event.process.signingInfo.entitlements |
target.user.attributes.permissions |
|
input.match.event.process.signingInfo.signerType |
target.user.attribute.labels [input_match_event_process_sign_signer_type] |
If the input.related.process.signingInfo.signerType log field value is equal to 0 , then the target.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.process.signingInfo.signerType log field value is equal to 1 , then the target.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.process.signingInfo.signerType log field value is equal to 2 , then the target.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.process.signingInfo.signerType log field value is equal to 3 , then the target.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.process.signingInfo.signerType log field value is equal to 4 , then the target.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.match.event.process.signingInfo.status |
target.user.attribute.labels [input_match_event_process_sign_status] |
|
input.match.event.process.signingInfo.statusMessage |
target.labels[input_match_event_process_sign_status_message] (deprecated) |
|
input.match.event.process.signingInfo.statusMessage |
additional.fields[input_match_event_process_sign_status_message] |
|
input.match.event.process.signingInfo.teamid |
target.user.group_identifiers |
|
input.match.event.process.startTimestamp |
target.labels[input_match_event_process_start_time_stamp] (deprecated) |
|
input.match.event.process.startTimestamp |
additional.fields[input_match_event_process_start_time_stamp] |
|
input.match.event.process.uid |
target.labels[input_match_event_process_uid] (deprecated) |
|
input.match.event.process.uid |
additional.fields[input_match_event_process_uid] |
|
input.match.event.process.uuid |
target.process.product_specific_process_id |
The Process Uuid: input.match.event.process.uuid log field is mapped to the target.process.product_specific_process_id UDM field. |
input.match.event.processIdentifier |
target.process.pid |
|
input.match.event.processImagePath |
target.process.file.full_path |
|
input.match.event.rateLimitingSecs |
principal.labels[input_match_event_rate_limiting_secs] (deprecated) |
|
input.match.event.rateLimitingSecs |
additional.fields[input_match_event_rate_limiting_secs] |
|
input.match.event.scriptPath |
principal.labels[input_match_event_script_path] (deprecated) |
|
input.match.event.scriptPath |
additional.fields[input_match_event_script_path] |
|
input.match.event.sender |
principal.labels[input_match_event_sender] (deprecated) |
|
input.match.event.sender |
additional.fields[input_match_event_sender] |
|
input.match.event.senderImagePath |
principal.labels[input_match_event_sender_image_path] (deprecated) |
|
input.match.event.senderImagePath |
additional.fields[input_match_event_sender_image_path] |
|
input.match.event.subsystem |
principal.labels[input_match_event_subsystem] (deprecated) |
|
input.match.event.subsystem |
additional.fields[input_match_event_subsystem] |
|
input.match.event.subType |
principal.labels[input_match_event_sub_type] (deprecated) |
If the input.match.event.subType log field value is equal to 7 , then the principal.labels.value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the principal.labels.value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the principal.labels.value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the principal.labels.value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the principal.labels.value UDM field is set to 43190 - Posix Spawn . |
input.match.event.subType |
additional.fields[input_match_event_sub_type] |
If the input.match.event.subType log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Exec .Else, if the input.match.event.subType log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 2 - Fork .Else, if the input.match.event.subType log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Exit .Else, if the input.match.event.subType log field value is equal to 23 , then the additional.fields.value.string_value UDM field is set to 23 - Execve .Else, if the input.match.event.subType log field value is equal to 43190 , then the additional.fields.value.string_value UDM field is set to 43190 - Posix Spawn . |
input.match.event.tags |
security_result.rule_labels [input_match_event_tags] |
|
input.match.event.targetpid |
target.process.pid |
|
input.match.event.timestamp |
metadata.event_timestamp |
|
input.match.event.type |
target.labels[input_match_event_type] (deprecated) |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the target.labels.value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the target.labels.value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the target.labels.value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the target.labels.value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the target.labels.value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the target.labels.value UDM field is set to 0 - Exit . |
input.match.event.type |
additional.fields[input_match_event_type] |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - Created .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Deleted .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3 , then the additional.fields.value.string_value UDM field is set to 3 - Renamed .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4 , then the additional.fields.value.string_value UDM field is set to 4 - Modified .Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7 , then the additional.fields.value.string_value UDM field is set to 7 - Created Dir .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0 , then the additional.fields.value.string_value UDM field is set to 0 - None .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1 , then the additional.fields.value.string_value UDM field is set to 1 - Create .Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2 , then the additional.fields.value.string_value UDM field is set to 0 - Exit . |
input.match.event.uid |
principal.user.userid |
|
input.match.event.uuid |
about.labels[input_match_event_uuid] (deprecated) |
|
input.match.event.uuid |
additional.fields[input_match_event_uuid] |
|
input.match.facts.actions.name |
security_result.action_details |
If the index value is equal to 0 , then the input.match.facts.actions.name log field is mapped to the security_result.action_details UDM field.Else, the input.match.facts.actions.name log field is mapped to the security_result.about.labels.value UDM field. |
input.match.facts.actions.parameters.id |
security_result.detection_fields [input_match_facts_actions_parameters_id] |
|
input.match.facts.actions.parameters.message |
security_result.detection_fields [input_match_facts_actions_parameters_message] |
|
input.match.facts.actions.parameters.title |
security_result.detection_fields [input_match_facts_actions_parameters_title] |
|
input.match.facts.context.name |
security_result.detection_fields.key |
|
input.match.facts.context.value |
security_result.detection_fields.value [Name] |
|
input.match.facts.context.valueType |
|
|
input.match.facts.human |
security_result.action |
If the input.match.facts.human log field value is matched with regex (?i)blocked , then the security_result.action UDM field is set to BLOCK . |
input.match.facts.human |
security_result.description |
If the index value is equal to 0 , then the input.match.facts.human log field is mapped to the security_result.description UDM field.Else, the input.match.facts.human log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.name |
security_result.summary |
If the index value is equal to 0 , then the input.match.facts.name log field is mapped to the security_result.summary UDM field.Else, the input.match.facts.name log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.severity |
security_result.detection_fields [input_match_facts_severity] |
|
input.match.facts.tags |
security_result.rule_labels [input_match_facts_tags] |
|
input.match.facts.uuid |
about.labels [input_match_facts_uuid] |
|
input.match.facts.version |
about.labels [input_match_facts_version] |
|
input.match.severity |
security_result.severity |
If the severity log field value is equal to 0 , then the security_result.severity UDM field is set to INFORMATIONAL .Else, if the severity log field value is equal to 1 , then the security_result.severity UDM field is set to LOW .Else, if the severity log field value is equal to 2 , then the security_result.severity UDM field is set to MEDIUM .Else, if the severity log field value is equal to 3 , then the security_result.severity UDM field is set to HIGH . |
input.match.tags |
security_result.rule_labels [input_match_tags] |
|
input.match.uuid |
metadata.product_log_id |
|
input.related.binaries.accessed |
security_result.about.labels [input_related_binaries_accessed] |
|
input.related.binaries.changed |
security_result.about.labels [input_related_binaries_changed] |
|
input.related.binaries.created |
security_result.about.file.first_seen_time |
If the index value is equal to 0 , then the input.related.binaries.created log field is mapped to the security_result.about.file.first_seen_time UDM field.Else, the input.related.binaries.created log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.fsid |
security_result.about.labels [input_related_binaries_fsid] |
|
input.related.binaries.gid |
security_result.about.labels [input_related_binaries_gid] |
|
input.related.binaries.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.binaries.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.binaries.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.isAppBundle |
security_result.about.labels [isAppBundle] |
|
input.related.binaries.isDirectory |
security_result.about.labels [isDirectory] |
|
input.related.binaries.isDownload |
security_result.about.labels [isDownload] |
|
input.related.binaries.isScreenShot |
security_result.about.labels [isScreenShot] |
|
input.related.binaries.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.binaries.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.binaries.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.binaries.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.binaries.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.binaries.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.binaries.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.binaries.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.binaries.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.binaries.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.binaries.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.binaries.signingInfo.cdhash |
security_result.about.labels [input_related_binaries_sign_cdhash] |
|
input.related.binaries.signingInfo.entitlements |
security_result.about.user.attribute.permisisons |
|
input.related.binaries.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type] |
If the input.related.binaries.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.binaries.signingInfo.status |
security_result.about.user.attribute.labels [input_related_binaries_sign_status] |
|
input.related.binaries.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.binaries.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.size |
security_result.about.file.size |
If the index value is equal to 0 , then the input.related.binaries.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.binaries.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.binaries.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.binaries.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.xattrs |
security_result.about.user.attribute.labels [input_related_binaries_xattrs] |
|
input.related.files.accessed |
security_result.about.labels [input_related_files_accessed] |
|
input.related.files.changed |
security_result.about.labels [input_related_files_changed] |
|
input.related.files.created |
security_result.about.labels [input_related_files_created] |
|
input.related.files.downloadedFrom |
security_result.about.labels [input_related_files_downloaded_from] |
|
input.related.files.fsid |
security_result.about.labels [input_related_files_downloaded_fsid] |
|
input.related.files.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.files.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.files.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0 , then the input.related.files.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.files.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.isAppBundle |
security_result.about.labels [input_related_files_downloaded_is_app_bundle] |
|
input.related.files.isDirectory |
security_result.about.labels [input_related_files_is_directory] |
|
input.related.files.isDownload |
security_result.about.labels [input_related_files_is_download] |
|
input.related.files.isScreenShot |
security_result.about.labels [input_related_files_is_screenshot] |
|
input.related.files.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0 , then the input.related.files.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.files.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0 , then the input.related.files.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.files.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.path |
security_result.about.file.full_path |
If the index value is equal to 0 , then the input.related.files.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.files.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0 , then the input.related.files.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.files.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0 , then the input.related.files.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.files.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.files.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.files.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.cdhash |
security_result.about.labels [[input_related_files_sign_cdhash] |
|
input.related.files.signingInfo.entitlements |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type] |
If the input.related.files.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.files.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.files.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.files.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.files.signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.files.signingInfo.status |
security_result.about.user.attribute.labels [input_related_files_signing_info_status] |
|
input.related.files.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_files_signing_info_status_message] |
|
input.related.files.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.size |
security_result.about.file.size |
If the index value is equal to 0 , then if the input.related.files.size log field value is not equal to 0 , then the input.related.files.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.files.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.files.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.files.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.xattrs |
security_result.about.labels [input_related_files_xattrs] |
|
input.related.groups.gid |
security_result.about.group.attribute.labels [input_related_groups_gid] |
|
input.related.groups.name |
security_result.about.group.group_display_name |
If the index value is equal to 0 , then the input.related.groups.name log field is mapped to the security_result.about.group.group_display_name UDM field.Else, the input.related.groups.name log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.groups.uuid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.groups.uuid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.groups.uuid log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.processes.appPath |
security_result.about.labels [input_related_processes_app_path] |
|
input.related.processes.args |
security_result.about.process.command_line_history |
|
input.related.processes.exitCode |
security_result.about.labels [input_related_processes_exit_code] |
|
input.related.processes.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0 , then the input.related.processes.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.processes.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.name |
security_result.about.process.file.names |
|
input.related.processes.originalParentPID |
security_result.about.process.parent_process.pid |
If the index value is equal to 0 , then the input.related.processes.originalParentPID log field is mapped to the security_result.about.process.parent_process.pid UDM field.Else, the input.related.processes.originalParentPID log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.path |
security_result.about.process.file.full_path |
If the index value is equal to 0 , then the input.related.processes.path log field is mapped to the security_result.about.process.file.full_path UDM field.Else, the input.related.processes.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.pgid |
security_result.about.labels [input_related_process_pgid] |
|
input.related.processes.pid |
security_result.about.process.pid |
If the index value is equal to 0 , then the input.related.processes.pid log field is mapped to the security_result.about.process.pid UDM field.Else, the input.related.processes.pid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.ppid |
security_result.about.labels [input_related_processes_ppid] |
|
input.related.processes.responsiblePID |
security_result.about.labels [input_related_processes_responsible_pid] |
|
input.related.processes.rgid |
security_result.about.labels [input_related_processes_rgid] |
|
input.related.processes.ruid |
security_result.about.labels [input_related_processes_ruid] |
|
input.related.processes.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0 , then the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.signingInfo.authorities |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.cdhash |
security_result.about.user.attribute.labels [input_related_processes_sign_cdhash] |
|
input.related.processes.signingInfo.entitlements |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_processes_sign_signer_type] |
If the input.related.processes.signingInfo.signerType log field value is equal to 0 , then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 1 , then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 2 , then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer .Else, if the input.related.processes.signingInfo.signerType log field value is equal to 3 , then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc .Else, if the input.related.processes .signingInfo.signerType log field value is equal to 4 , then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned . |
input.related.processes.signingInfo.status |
security_result.about.user.attribute.labels [input_related_processes_sign_status] |
|
input.related.processes.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.processes.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0 , then the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.startTimestamp |
security_result.about.labels [input_related_processes_start_time_stamp] |
|
input.related.processes.tty |
security_result.about.labels [input_related_processes_tty] |
|
input.related.processes.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.processes.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.processes.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.processes.uuid |
security_result.about.process.product_specific_process_id |
If the index value is equal to 0 , then the Process Uuid: input.related.processes.uuid log field is mapped to the security_result.about.process.product_specific_process_id UDM field.Else, the input.related.processes.uuid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.users.name |
security_result.about.user.user_display_name |
If the index value is equal to 0 , then the input.related.users.name log field is mapped to the security_result.about.user.user_display_name UDM field.Else, the input.related.users.name log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uid |
security_result.about.user.userid |
If the index value is equal to 0 , then the input.related.users.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.users.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uuid |
security_result.about.user.product_object_id |
If the index value is equal to 0 , then the input.related.users.uuid log field is mapped to the security_result.about.user.product_object_id UDM field.Else, the input.related.users.uuid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
key |
about.labels[key] (deprecated) |
|
key |
additional.fields[key] |
|
path |
target.file.full_path |
If the index value is equal to 0 , then the path log field is mapped to the target.file.full_path UDM field.Else, the path log field is mapped to the target.labels.value UDM field. |
queue |
principal.labels[queue] (deprecated) |
|
queue |
additional.fields[queue] |
|
region |
principal.location.name |
|
timestamp |
metadata.creation_timestamp |
|
topic |
about.labels[topic] (deprecated) |
|
topic |
additional.fields[topic] |
|
topicType |
about.labels[topicType] (deprecated) |
|
topicType |
additional.fields[topicType] |
|
version |
metadata.product_version |
|
|
is_alert |
The is_alert UDM field is set to TRUE . |
|
is_significant |
The is_significant UDM field is set to TRUE . |
input.eventType |
metadata.event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_PROTECT . |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF . |
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to STORAGE_BUCKET . |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to STORAGE_BUCKET . |
input.match.event.options |
about.labels[input_match_event_options] (deprecated) |
|
input.match.event.options |
additional.fields[input_match_event_options] |
|
input.match.event.sourcePID |
principal.process.pid |
|
input.match.event.destinationPID |
target.process.pid |
|
image.match.event.detection |
security_result.detection_fields [image_match_event_detection] |
|
input.match.type |
target.asset.attribute.labels [input_match_type] |
If the input.match.type log field value is equal to 0 , then the target.asset.attribute.labels.value UDM field is set to 0 - Device Inserted .Else, if the input.match.type log field value is equal to 1 , then the target.asset.attribute.labels.value UDM field is set to 1 - Device Removed . |
input.match.usbAddress |
target.asset.attribute.labels [input_match_usb_address] |
|
input.match.event.device.mediaPath |
target.asset.attribute.labels [input_match_device_media_path] |
|
input.match.event.device.protocol |
target.asset.attribute.labels [input_match_device_protocol] |
|
input.match.event.device.deviceModel |
target.asset.hardware.model |
|
input.match.event.device.isRemovable |
target.asset.attribute.labels [input_match_device_is_removable] |
|
input.match.event.device.mediaName |
target.asset.attribute.labels [input_match_device_media_name] |
|
input.match.event.device.bsdMinor |
target.asset.attribute.labels [input_match_device_bsd_minor] |
|
input.match.event.device.vendorName |
target.asset.software.vendor_name |
|
input.match.event.device.isWhole |
target.asset.attribute.labels [input_match_device_is_whole] |
|
input.match.event.device.unit |
target.asset.attribute.labels [input_match_device_unit] |
|
input.match.event.device.deviceSubclass |
target.asset.attribute.labels [input_match_device_subclass] |
|
input.match.event.device.serialNumber |
target.asset.hardware.serial |
|
input.match.event.device.bsdUnit |
target.asset.attribute.labels [input_match_device_bsd_unit] |
|
input.match.event.device.busPath |
target.asset.attribute.labels [input_match_device_bus_path] |
|
input.match.event.device.isLeaf |
target.asset.attribute.labels [input_match_device_is_leaf] |
|
input.match.event.device.isInternal |
target.asset.attribute.labels [input_match_device_is_internal] |
|
input.match.event.device.busName |
target.asset.attribute.labels [input_match_device_bus_name] |
|
input.match.event.device.bsdMajor |
target.asset.attribute.labels [input_match_device_bsd_major] |
|
input.match.event.device.isEjectable |
target.asset.attribute.labels [input_match_device_is_ejectable] |
|
input.match.event.device.isEncrypted |
target.asset.attribute.labels [input_match_device_is_encrypted] |
|
input.match.event.device.isEncryptable |
target.asset.attribute.labels [input_match_device_is_encryptable] |
|
input.match.event.device.devicePath |
target.asset.attribute.labels [input_match_device_path] |
|
input.match.event.device.bsdName |
target.asset.attribute.labels [input_match_device_bsd_name] |
|
input.match.event.device.vendorId |
target.asset.attribute.labels [input_match_device_vendor_id] |
|
input.match.event.device.content |
target.asset.attribute.labels [input_match_device_content] |
|
input.match.event.device.revision |
target.asset.attribute.labels [input_match_device_revision] |
|
input.match.event.device.size |
target.asset.attribute.labels [input_match_device_size] |
|
input.match.event.device.isNetworkVolume |
target.asset.attribute.labels [input_match_device_is_network_volume] |
|
input.match.event.device.blocksize |
target.asset.attribute.labels [input_match_device_block_size] |
|
input.match.event.device.productName |
target.asset.attribute.labels [input_match_device_product_name] |
|
input.match.event.device.mediaKind |
target.asset.attribute.labels [input_match_device_media_kind] |
|
input.match.event.device.isWritable |
target.asset.attribute.labels [input_match_device_is_writable] |
|
input.match.event.device.productId |
target.asset.product_object_id |
|
input.match.event.device.productId |
target.asset.asset_id |
The Asset Id: input.match.event.device.productId log field is mapped to the target.asset.asset_id UDM field. |
input.match.event.device.deviceClass |
target.asset.category |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_device_encryption_detail] |
|
input.match.event.device.volumeKind |
target.asset.attribute.labels [input_match_event_device_volume_kind] |
|
input.match.event.device.volumeName |
target.asset.attribute.labels [input_match_event_device_volume_name] |
|
input.match.event.device.volumeType |
target.asset.attribute.labels [input_match_event_device_volume_type] |
|
input.match.event.device.isMountable |
target.asset.attribute.labels [input_match_event_device_is_mountable] |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_event_device_encryption_detail] |
|
input.match.event.fsid |
principal.labels [input_match_event_fsid] |
|
input.match.event.bfree |
principal.labels[input_match_event_bfree] (deprecated) |
|
input.match.event.bfree |
additional.fields[input_match_event_bfree] |
|
input.match.event.bsize |
principal.labels[input_match_event_bsize] (deprecated) |
|
input.match.event.bsize |
additional.fields[input_match_event_bsize] |
|
input.match.event.ffree |
principal.labels[input_match_event_ffree] (deprecated) |
|
input.match.event.ffree |
additional.fields[input_match_event_ffree] |
|
input.match.event.files |
principal.labels[input_match_event_files] (deprecated) |
|
input.match.event.files |
additional.fields[input_match_event_files] |
|
input.match.event.flags |
principal.labels[input_match_event_flags] (deprecated) |
|
input.match.event.flags |
additional.fields[input_match_event_flags] |
|
input.match.event.owner |
principal.user.user_display_name |
|
input.match.event.bavail |
principal.labels[input_match_event_bvail] (deprecated) |
|
input.match.event.bavail |
additional.fields[input_match_event_bvail] |
|
input.match.event.blocks |
principal.labels[input_match_event_blocks] (deprecated) |
|
input.match.event.blocks |
additional.fields[input_match_event_blocks] |
|
input.match.event.iosize |
principal.labels[input_match_event_iosize] (deprecated) |
|
input.match.event.iosize |
additional.fields[input_match_event_iosize] |
|
input.match.event.version |
principal.labels[input_match_event_version] (deprecated) |
|
input.match.event.version |
additional.fields[input_match_event_version] |
|
input.match.event.deadline |
principal.labels[input_match_event_deadline] (deprecated) |
|
input.match.event.deadline |
additional.fields[input_match_event_deadline] |
|
input.match.event.flagsExt |
principal.labels[input_match_event_flags_ext] (deprecated) |
|
input.match.event.flagsExt |
additional.fields[input_match_event_flags_ext] |
|
input.match.event.fsSubType |
principal.labels[input_match_event_fs_subtype] (deprecated) |
|
input.match.event.fsSubType |
additional.fields[input_match_event_fs_subtype] |
|
input.match.event.mntOnName |
principal.labels[input_match_event_mnt_on_name] (deprecated) |
|
input.match.event.mntOnName |
additional.fields[input_match_event_mnt_on_name] |
|
input.match.event.fsTypeName |
principal.labels[input_match_event_fs_type_name] (deprecated) |
|
input.match.event.fsTypeName |
additional.fields[input_match_event_fs_type_name] |
|
input.match.event.isReadOnly |
principal.labels[input_match_event_is_read_only] (deprecated) |
|
input.match.event.isReadOnly |
additional.fields[input_match_event_is_read_only] |
|
input.match.event.mntFromName |
principal.labels[input_match_event_mnt_from_name] (deprecated) |
|
input.match.event.mntFromName |
additional.fields[input_match_event_mnt_from_name] |
|
input.match.event.machTimestamp |
principal.labels[input_match_event_mach_timestamp] (deprecated) |
|
input.match.event.machTimestamp |
additional.fields[input_match_event_mach_timestamp] |
|
input.match.event.sequenceNumber |
principal.labels[input_match_event_seq_number] (deprecated) |
|
input.match.event.sequenceNumber |
additional.fields[input_match_event_seq_number] |
|
input.match.event.globalSequenceNumber |
principal.labels[input_match_event_global_seq_number] (deprecated) |
|
input.match.event.globalSequenceNumber |
additional.fields[input_match_event_global_seq_number] |