收集 Jamf Protect 日志
本文档介绍了如何通过设置 Chronicle Feed 来收集 Jamf Protect 日志,以及如何将日志字段映射到 Chronicle Unified Data Model (UDM) 字段。本文档还列出了受支持的 Jamf Protect 版本。
如需了解详情,请参阅将数据注入到 Chronicle。
典型的部署包括 Jamf Protect 和配置为将日志发送到 Chronicle 的 Chronicle Feed。每个客户部署可能有所不同,并且可能更复杂。
该部署包含以下组件:
Jamf Protect:用于从中收集日志的 Jamf Protect 平台。
Chronicle Feed。用于从 Jamf Protect 提取日志并将日志写入 Chronicle 的 Chronicle Feed。
Chronicle。Chronicle 会保留和分析来自 Jamf Protect 的日志。
提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于带有 JAMF_PROTECT 提取标签的解析器。
准备工作
- 确保您使用的是 Jamf Protect 4.0.0 或更高版本。
- 确保部署架构中的所有系统都配置了世界协调时间 (UTC) 时区。
在 Chronicle 中配置 Feed 以注入 Jamf Protect 日志
- 从 Chronicle 菜单中,选择 Settings,然后点击 Feeds。
- 点击 Add New(新增)。
- 选择 Amazon S3 作为来源类型。
- 如要为 Jamf Protect 创建 Feed,请选择 Jamf Protect 提醒作为日志类型。
- 点击下一步。
- 保存 Feed,然后提交。
- 从 Feed 名称中复制 Feed ID,以便在 Jamf Protect 中使用。
如需详细了解 Chronicle Feed,请参阅 Chronicle Feed 文档。如需了解各种 Feed 类型的要求,请参阅按类型划分的 Feed 配置。
如果您在创建 Feed 时遇到问题,请与 Chronicle 支持团队联系。
支持的 Jamf Protect 日志类型
下表列出了 Jamf Protect 解析器支持的日志类型:
| 事件类型 | 显示名称 |
|---|---|
| GPClickEvent | 合成点击事件 |
| GPDownloadEvent | 下载事件 |
| GPFSEvent | 文件系统事件 |
| GPGatekeeperEvent | 把关者事件 |
| GPKeylogRegisterEvent | 按键记录器事件 |
| GPMRTEvent | 监控事件 |
| GPPreventedExecutionEvent | 自定义阻止列表事件 |
| GPProcessEvent | 进程事件 |
| GPThreatMatchExecEvent | 威胁防护事件 |
| GPUSBEvent | USB 事件 |
| GPUnifiedLogEvent | 统一的日志事件 |
| Auth-mount | 设备控制器事件 |
字段映射参考文档
本部分介绍 Chronicle 解析器如何将 Jamf Protect 字段映射到 Chronicle Unified Data Model (UDM) 字段。
字段映射参考:事件标识符与事件类型
下表列出了JAMF_PROTECT 日志类型及其对应的 UDM 事件类型。
| Event Identifier | Event Type |
|---|---|
GPClickEvent |
SCAN_UNCATEGORIZED |
GPDownloadEvent |
SCAN_FILE |
GPFSEvent |
SCAN_FILE |
GPGatekeeperEvent |
SCAN_UNCATEGORIZED |
GPKeylogRegisterEvent |
SCAN_UNCATEGORIZED |
GPMRTEvent |
SCAN_UNCATEGORIZED |
GPPreventedExecutionEvent |
SCAN_UNCATEGORIZED |
GPProcessEvent |
SCAN_PROCESS |
GPThreatMatchExecEvent |
SCAN_UNCATEGORIZED |
GPUSBEvent |
SCAN_UNCATEGORIZED |
GPUnifiedLogEvent |
SCAN_UNCATEGORIZED |
Auth-mount |
SCAN_UNCATEGORIZED |
字段映射参考文档:JAMF_PROTECT
下表列出了JAMF_PROTECT 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
|
about.platform |
The about.platform UDM field is set to MAC. |
caid |
about.labels [caid] |
|
certid |
principal.asset.attribute.labels [certid] |
|
context.identity.claims.certid |
principal.user.attribute.permissions.description |
|
context.identity.claims.clientid |
principal.user.attribute.labels [context_identity_claims_clientid] |
|
input.eventType |
metadata.product_event_type |
|
input.host.hostname |
principal.hostname |
|
input.host.ips |
principal.ip |
|
input.host.provisioningUDID |
principal.asset.product_object_id |
|
input.host.serial |
principal.asset.hardware.serial_number |
|
input.match.actions.name |
security_result.outcomes [input_match_actions_name] |
|
input.match.actions.parameters.message |
security_result.summary |
If the index value is equal to 0, then the input.match.actions.parameters.message log field is mapped to the security_result.summary UDM field.Else, the input.match.actions.parameters.message log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.actions.parameters.title |
security_result.description |
If the index value is equal to 0, then the input.match.actions.parameters.title log field is mapped to the security_result.description UDM field.Else, the input.match.actions.parameters.title log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.context.name |
security_result.detection_fields.key |
|
input.match.context.value |
security_result.detection_fields.value [Name] |
|
input.match.context.valueType |
|
|
input.match.custom |
security_result.detection_fields [input_match_custom] |
|
input.match.event.blocked |
security_result.action |
If the input.match.event.blocked log field value is not empty, then the security_result.action UDM field is set to BLOCK. |
context.identity.claims.hd, input.match.uuid |
security_result.url_back_to_product |
The security_result.url_back_to_product UDM field is set to https://context.identity.claims.hd.jamfcloud.com/Alerts/input.match.uuid. |
input.match.event.category |
security_result.category_details |
|
input.match.event.clickType |
principal.labels [input_match_event_click_type] |
If the input.match.event.clickType log field value is equal to 0, then the principal.labels.value UDM field is set to 0 - Other.Else, if the input.match.event.clickType log field value is equal to 1, then the principal.labels.value UDM field is set to 1 - Left Down.Else, if the input.match.event.clickType log field value is equal to 2, then the principal.labels.value UDM field is set to 2 - Left Up.Else, if the input.match.event.clickType log field value is equal to 3, then the principal.labels.value UDM field is set to 3 - Right Down.Else, if the input.match.event.clickType log field value is equal to 4, then the principal.labels.value UDM field is set to 4 - Right Up. |
input.match.event.composedMessage |
principal.labels [input_match_event_composed_message] |
|
input.match.event.dev |
principal.labels [input_match_event_dev] |
|
input.match.event.eventID |
principal.labels [input_match_event_id] |
|
input.match.event.gid |
principal.user.group_identifiers |
|
input.match.event.iNode |
target.file.stat_inode |
|
input.match.event.matchType |
principal.labels [input_match_event_match_type] |
|
input.match.event.matchValue |
security_result.threat_name |
If the input.match.event.matchType log field value is not empty, then the input.match.event.matchValue log field is mapped to the security_result.threat_name UDM field. |
input.match.event.name |
about.labels [input_match_event_name] |
|
input.match.facts.name |
metadata.description |
If the index value is equal to 0, then the input.match.facts.name log field is mapped to the metadata.description UDM field. |
input.match.event.path |
target.process.file.full_path |
|
input.match.event.pid |
principal.process.pid |
|
input.match.event.prevFile |
src.file.full_path |
If the input.match.event.prevFile log field value is not empty, then the input.match.event.prevFile log field is mapped to the src.file.full_path UDM field. |
input.match.event.process |
principal.process.file.names |
|
input.match.event.process.args |
target.process.command_line_history |
|
input.match.event.process.gid |
target.group.product_object_id |
|
input.match.event.process.name |
target.process.file.names |
|
input.match.event.process.originalParentPID |
target.process.parent_process.pid |
|
input.match.event.process.path |
target.process.file.full_path |
|
input.match.event.process.pgid |
target.labels [input_match_event_processes_pgid] |
|
input.match.event.process.pid |
target.process.pid |
|
input.match.event.process.ppid |
target.labels [input_match_event_process_ppid] |
|
input.match.event.process.responsiblePID |
target.labels [input_match_event_process_responsible_pid] |
|
input.match.event.process.rgid |
target.labels [input_match_event_process_rgid] |
|
input.match.event.process.ruid |
target.labels [input_match_event_process_ruid] |
|
input.match.event.process.signingInfo.appid |
target.user.attribute.labels [input_match_event_process_sign_appid] |
|
input.match.event.process.signingInfo.authorities |
target.user.attribute.permissions |
|
input.match.event.process.signingInfo.cdhash |
target.user.attribute.labels [input_match_event_process_sign_cdhash] |
|
input.match.event.process.signingInfo.entitlements |
target.user.attributes.permissions |
|
input.match.event.process.signingInfo.signerType |
target.user.attribute.labels [input_match_event_process_sign_signer_type] |
If the input.related.process.signingInfo.signerType log field value is equal to 0, then the target.user.attribute.labels.value UDM field is set to 0 - Apple.Else, if the input.related.process.signingInfo.signerType log field value is equal to 1, then the target.user.attribute.labels.value UDM field is set to 1 - App Store.Else, if the input.related.process.signingInfo.signerType log field value is equal to 2, then the target.user.attribute.labels.value UDM field is set to 2 - Developer.Else, if the input.related.process.signingInfo.signerType log field value is equal to 3, then the target.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.Else, if the input.related.process.signingInfo.signerType log field value is equal to 4, then the target.user.attribute.labels.value UDM field is set to 4 - Unsigned. |
input.match.event.process.signingInfo.status |
target.user.attribute.labels [input_match_event_process_sign_status] |
|
input.match.event.process.signingInfo.statusMessage |
target.labels [input_match_event_process_sign_status_message] |
|
input.match.event.process.signingInfo.teamid |
target.user.group_identifiers |
|
input.match.event.process.startTimestamp |
target.labels [input_match_event_process_start_time_stamp] |
|
input.match.event.process.uid |
target.labels [input_match_event_process_uid] |
|
input.match.event.process.uuid |
target.process.product_specific_process_id |
The Process Uuid: input.match.event.process.uuid log field is mapped to the target.process.product_specific_process_id UDM field. |
input.match.event.processIdentifier |
target.process.pid |
|
input.match.event.processImagePath |
target.process.file.full_path |
|
input.match.event.rateLimitingSecs |
principal.labels [input_match_event_rate_limiting_secs] |
|
input.match.event.scriptPath |
principal.labels [input_match_event_script_path] |
|
input.match.event.sender |
principal.labels [input_match_event_sender] |
|
input.match.event.senderImagePath |
principal.labels [input_match_event_sender_image_path] |
|
input.match.event.subsystem |
principal.labels [input_match_event_subsystem] |
|
input.match.event.subType |
principal.labels [input_match_event_sub_type] |
If the input.match.event.subType log field value is equal to 7, then the principal.labels.value UDM field is set to 7 - Exec.Else, if the input.match.event.subType log field value is equal to 2, then the principal.labels.value UDM field is set to 2 - Fork.Else, if the input.match.event.subType log field value is equal to 1, then the principal.labels.value UDM field is set to 1 - Exit.Else, if the input.match.event.subType log field value is equal to 23, then the principal.labels.value UDM field is set to 23 - Execve.Else, if the input.match.event.subType log field value is equal to 43190, then the principal.labels.value UDM field is set to 43190 - Posix Spawn. |
input.match.event.tags |
security_result.rule_labels [input_match_event_tags] |
|
input.match.event.targetpid |
target.process.pid |
|
input.match.event.timestamp |
metadata.event_timestamp |
|
input.match.event.type |
target.labels [input_match_event_type] |
If the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 0, then the target.labels.value UDM field is set to 0 - Created.Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 1, then the target.labels.value UDM field is set to 1 - Deleted.Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 3, then the target.labels.value UDM field is set to 3 - Renamed.Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 4, then the target.labels.value UDM field is set to 4 - Modified.Else, if the input.eventType log field value is equal to GPFSEvent and the input.match.event.type log field value is equal to 7, then the target.labels.value UDM field is set to 7 - Created Dir.Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 0, then the target.labels.value UDM field is set to 0 - None.Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 1, then the target.labels.value UDM field is set to 1 - Create.Else, if the input.eventType log field value is equal to GPProcessEvent and the input.match.event.type log field value is equal to 2, then the target.labels.value UDM field is set to 0 - Exit. |
input.match.event.uid |
principal.user.userid |
|
input.match.event.uuid |
about.labels [input_match_event_uuid] |
|
input.match.facts.actions.name |
security_result.action_details |
If the index value is equal to 0, then the input.match.facts.actions.name log field is mapped to the security_result.action_details UDM field.Else, the input.match.facts.actions.name log field is mapped to the security_result.about.labels.value UDM field. |
input.match.facts.actions.parameters.id |
security_result.detection_fields [input_match_facts_actions_parameters_id] |
|
input.match.facts.actions.parameters.message |
security_result.detection_fields [input_match_facts_actions_parameters_message] |
|
input.match.facts.actions.parameters.title |
security_result.detection_fields [input_match_facts_actions_parameters_title] |
|
input.match.facts.context.name |
security_result.detection_fields.key |
|
input.match.facts.context.value |
security_result.detection_fields.value [Name] |
|
input.match.facts.context.valueType |
|
|
input.match.facts.human |
security_result.action |
If the input.match.facts.human log field value is matched with regex (?i)blocked, then the security_result.action UDM field is set to BLOCK. |
input.match.facts.human |
security_result.description |
If the index value is equal to 0, then the input.match.facts.human log field is mapped to the security_result.description UDM field.Else, the input.match.facts.human log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.name |
security_result.summary |
If the index value is equal to 0, then the input.match.facts.name log field is mapped to the security_result.summary UDM field.Else, the input.match.facts.name log field is mapped to the security_result.detection_fields.value UDM field. |
input.match.facts.severity |
security_result.detection_fields [input_match_facts_severity] |
|
input.match.facts.tags |
security_result.rule_labels [input_match_facts_tags] |
|
input.match.facts.uuid |
about.labels [input_match_facts_uuid] |
|
input.match.facts.version |
about.labels [input_match_facts_version] |
|
input.match.severity |
security_result.severity |
If the severity log field value is equal to 0, then the security_result.severity UDM field is set to INFORMATIONAL.Else, if the severity log field value is equal to 1, then the security_result.severity UDM field is set to LOW.Else, if the severity log field value is equal to 2, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value is equal to 3, then the security_result.severity UDM field is set to HIGH. |
input.match.tags |
security_result.rule_labels [input_match_tags] |
|
input.match.uuid |
metadata.product_log_id |
|
input.related.binaries.accessed |
security_result.about.labels [input_related_binaries_accessed] |
|
input.related.binaries.changed |
security_result.about.labels [input_related_binaries_changed] |
|
input.related.binaries.created |
security_result.about.file.first_seen_time |
If the index value is equal to 0, then the input.related.binaries.created log field is mapped to the security_result.about.file.first_seen_time UDM field.Else, the input.related.binaries.created log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.fsid |
security_result.about.labels [input_related_binaries_fsid] |
|
input.related.binaries.gid |
security_result.about.labels [input_related_binaries_gid] |
|
input.related.binaries.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0, then the input.related.binaries.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.binaries.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.isAppBundle |
security_result.about.labels [isAppBundle] |
|
input.related.binaries.isDirectory |
security_result.about.labels [isDirectory] |
|
input.related.binaries.isDownload |
security_result.about.labels [isDownload] |
|
input.related.binaries.isScreenShot |
security_result.about.labels [isScreenShot] |
|
input.related.binaries.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0, then the input.related.binaries.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.binaries.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0, then the input.related.binaries.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.binaries.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.path |
security_result.about.file.full_path |
If the index value is equal to 0, then the input.related.binaries.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.binaries.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0, then the input.related.binaries.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.binaries.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0, then the input.related.binaries.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.binaries.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0, then the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.binaries.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.binaries.signingInfo.cdhash |
security_result.about.labels [input_related_binaries_sign_cdhash] |
|
input.related.binaries.signingInfo.entitlements |
security_result.about.user.attribute.permisisons |
|
input.related.binaries.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_binaries_sign_signer_type] |
If the input.related.binaries.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.Else, if the input.related.binaries.signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned. |
input.related.binaries.signingInfo.status |
security_result.about.user.attribute.labels [input_related_binaries_sign_status] |
|
input.related.binaries.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.binaries.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0, then the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.binaries.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.size |
security_result.about.file.size |
If the index value is equal to 0, then the input.related.binaries.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.binaries.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.binaries.uid |
security_result.about.user.userid |
If the index value is equal to 0, then the input.related.binaries.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.binaries.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.binaries.xattrs |
security_result.about.user.attribute.labels [input_related_binaries_xattrs] |
|
input.related.files.accessed |
security_result.about.labels [input_related_files_accessed] |
|
input.related.files.changed |
security_result.about.labels [input_related_files_changed] |
|
input.related.files.created |
security_result.about.labels [input_related_files_created] |
|
input.related.files.downloadedFrom |
security_result.about.labels [input_related_files_downloaded_from] |
|
input.related.files.fsid |
security_result.about.labels [input_related_files_downloaded_fsid] |
|
input.related.files.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0, then the input.related.files.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.files.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.inode |
security_result.about.file.stat_inode |
If the index value is equal to 0, then the input.related.files.inode log field is mapped to the security_result.about.file.stat_inode UDM field.Else, the input.related.files.inode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.isAppBundle |
security_result.about.labels [input_related_files_downloaded_is_app_bundle] |
|
input.related.files.isDirectory |
security_result.about.labels [input_related_files_is_directory] |
|
input.related.files.isDownload |
security_result.about.labels [input_related_files_is_download] |
|
input.related.files.isScreenShot |
security_result.about.labels [input_related_files_is_screenshot] |
|
input.related.files.mode |
security_result.about.file.stat_mode |
If the index value is equal to 0, then the input.related.files.mode log field is mapped to the security_result.about.file.stat_mode UDM field.Else, the input.related.files.mode log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.modified |
security_result.about.file.last_modification_time |
If the index value is equal to 0, then the input.related.files.modified log field is mapped to the security_result.about.file.last_modification_time UDM field.Else, the input.related.files.modified log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.path |
security_result.about.file.full_path |
If the index value is equal to 0, then the input.related.files.path log field is mapped to the security_result.about.file.full_path UDM field.Else, the input.related.files.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha1hex |
security_result.about.file.sha1 |
If the index value is equal to 0, then the input.related.files.sha1hex log field is mapped to the security_result.about.file.sha1 UDM field.Else, the input.related.files.sha1hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.sha256hex |
security_result.about.file.sha256 |
If the index value is equal to 0, then the input.related.files.sha256hex log field is mapped to the security_result.about.file.sha256 UDM field.Else, the input.related.files.sha256hex log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0, then the input.related.files.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.files.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.signingInfo.authorities |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.cdhash |
security_result.about.labels [[input_related_files_sign_cdhash] |
|
input.related.files.signingInfo.entitlements |
security_result.about.user.attribute.permissions |
|
input.related.files.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_files_signing_info_signer_type] |
If the input.related.files.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.Else, if the input.related.files.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.Else, if the input.related.files.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.Else, if the input.related.files.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.Else, if the input.related.files.signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned. |
input.related.files.signingInfo.status |
security_result.about.user.attribute.labels [input_related_files_signing_info_status] |
|
input.related.files.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_files_signing_info_status_message] |
|
input.related.files.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0, then the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.files.signingInfo.teamid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.size |
security_result.about.file.size |
If the index value is equal to 0, then if the input.related.files.size log field value is not equal to 0, then the input.related.files.size log field is mapped to the security_result.about.file.size UDM field.Else, the input.related.files.size log field is mapped to the security_result.about.labels.value UDM field. |
input.related.files.uid |
security_result.about.user.userid |
If the index value is equal to 0, then the input.related.files.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.files.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.files.xattrs |
security_result.about.labels [input_related_files_xattrs] |
|
input.related.groups.gid |
security_result.about.group.attribute.labels [input_related_groups_gid] |
|
input.related.groups.name |
security_result.about.group.group_display_name |
If the index value is equal to 0, then the input.related.groups.name log field is mapped to the security_result.about.group.group_display_name UDM field.Else, the input.related.groups.name log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.groups.uuid |
security_result.about.group.product_object_id |
If the index value is equal to 0, then the input.related.groups.uuid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.groups.uuid log field is mapped to the security_result.about.group.attribute.labels.value UDM field. |
input.related.processes.appPath |
security_result.about.labels [input_related_processes_app_path] |
|
input.related.processes.args |
security_result.about.process.command_line_history |
|
input.related.processes.exitCode |
security_result.about.labels [input_related_processes_exit_code] |
|
input.related.processes.gid |
security_result.about.group.product_object_id |
If the index value is equal to 0, then the input.related.processes.gid log field is mapped to the security_result.about.group.product_object_id UDM field.Else, the input.related.processes.gid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.name |
security_result.about.process.file.names |
|
input.related.processes.originalParentPID |
security_result.about.process.parent_process.pid |
If the index value is equal to 0, then the input.related.processes.originalParentPID log field is mapped to the security_result.about.process.parent_process.pid UDM field.Else, the input.related.processes.originalParentPID log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.path |
security_result.about.process.file.full_path |
If the index value is equal to 0, then the input.related.processes.path log field is mapped to the security_result.about.process.file.full_path UDM field.Else, the input.related.processes.path log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.pgid |
security_result.about.labels [input_related_process_pgid] |
|
input.related.processes.pid |
security_result.about.process.pid |
If the index value is equal to 0, then the input.related.processes.pid log field is mapped to the security_result.about.process.pid UDM field.Else, the input.related.processes.pid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.ppid |
security_result.about.labels [input_related_processes_ppid] |
|
input.related.processes.responsiblePID |
security_result.about.labels [input_related_processes_responsible_pid] |
|
input.related.processes.rgid |
security_result.about.labels [input_related_processes_rgid] |
|
input.related.processes.ruid |
security_result.about.labels [input_related_processes_ruid] |
|
input.related.processes.signingInfo.appid |
security_result.about.application |
If the index value is equal to 0, then the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.application UDM field.Else, the input.related.processes.signingInfo.appid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.signingInfo.authorities |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.cdhash |
security_result.about.user.attribute.labels [input_related_processes_sign_cdhash] |
|
input.related.processes.signingInfo.entitlements |
security_result.about.user.attributes.permission |
|
input.related.processes.signingInfo.signerType |
security_result.about.user.attribute.labels [input_related_processes_sign_signer_type] |
If the input.related.processes.signingInfo.signerType log field value is equal to 0, then the security_result.about.user.attribute.labels.value UDM field is set to 0 - Apple.Else, if the input.related.processes.signingInfo.signerType log field value is equal to 1, then the security_result.about.user.attribute.labels.value UDM field is set to 1 - App Store.Else, if the input.related.processes.signingInfo.signerType log field value is equal to 2, then the security_result.about.user.attribute.labels.value UDM field is set to 2 - Developer.Else, if the input.related.processes.signingInfo.signerType log field value is equal to 3, then the security_result.about.user.attribute.labels.value UDM field is set to 3 - Ad Hoc.Else, if the input.related.processes .signingInfo.signerType log field value is equal to 4, then the security_result.about.user.attribute.labels.value UDM field is set to 4 - Unsigned. |
input.related.processes.signingInfo.status |
security_result.about.user.attribute.labels [input_related_processes_sign_status] |
|
input.related.processes.signingInfo.statusMessage |
security_result.about.user.attribute.labels [input_related_processes_sign_status_message] |
|
input.related.processes.signingInfo.teamid |
security_result.about.user.group_identifiers |
If the index value is equal to 0, then the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.user.group_identifiers UDM field.Else, the input.related.processes.signingInfo.teamid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.processes.startTimestamp |
security_result.about.labels [input_related_processes_start_time_stamp] |
|
input.related.processes.tty |
security_result.about.labels [input_related_processes_tty] |
|
input.related.processes.uid |
security_result.about.user.userid |
If the index value is equal to 0, then the input.related.processes.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.processes.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.processes.uuid |
security_result.about.process.product_specific_process_id |
If the index value is equal to 0, then the Process Uuid: input.related.processes.uuid log field is mapped to the security_result.about.process.product_specific_process_id UDM field.Else, the input.related.processes.uuid log field is mapped to the security_result.about.labels.value UDM field. |
input.related.users.name |
security_result.about.user.user_display_name |
If the index value is equal to 0, then the input.related.users.name log field is mapped to the security_result.about.user.user_display_name UDM field.Else, the input.related.users.name log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uid |
security_result.about.user.userid |
If the index value is equal to 0, then the input.related.users.uid log field is mapped to the security_result.about.user.userid UDM field.Else, the input.related.users.uid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
input.related.users.uuid |
security_result.about.user.product_object_id |
If the index value is equal to 0, then the input.related.users.uuid log field is mapped to the security_result.about.user.product_object_id UDM field.Else, the input.related.users.uuid log field is mapped to the security_result.about.user.attribute.labels.value UDM field. |
key |
about.labels [key] |
|
path |
target.file.full_path |
If the index value is equal to 0, then the path log field is mapped to the target.file.full_path UDM field.Else, the path log field is mapped to the target.labels.value UDM field. |
queue |
principal.labels [queue] |
|
region |
principal.location.name |
|
timestamp |
metadata.creation_timestamp |
|
topic |
about.labels [topic] |
|
topicType |
about.labels [topicType] |
|
version |
metadata.product_version |
|
|
is_alert |
The is_alert UDM field is set to TRUE. |
|
is_significant |
The is_significant UDM field is set to TRUE. |
input.eventType |
metadata.event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to JAMF_PROTECT. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to JAMF. |
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to STORAGE_BUCKET. |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to STORAGE_BUCKET. |
input.match.event.options |
about.labels [input_match_event_options] |
|
input.match.event.sourcePID |
principal.process.pid |
|
input.match.event.destinationPID |
target.process.pid |
|
image.match.event.detection |
security_result.detection_fields [image_match_event_detection] |
|
input.match.type |
target.asset.attribute.labels [input_match_type] |
If the input.match.type log field value is equal to 0, then the target.asset.attribute.labels.value UDM field is set to 0 - Device Inserted.Else, if the input.match.type log field value is equal to 1, then the target.asset.attribute.labels.value UDM field is set to 1 - Device Removed. |
input.match.usbAddress |
target.asset.attribute.labels [input_match_usb_address] |
|
input.match.event.device.mediaPath |
target.asset.attribute.labels [input_match_device_media_path] |
|
input.match.event.device.protocol |
target.asset.attribute.labels [input_match_device_protocol] |
|
input.match.event.device.deviceModel |
target.asset.hardware.model |
|
input.match.event.device.isRemovable |
target.asset.attribute.labels [input_match_device_is_removable] |
|
input.match.event.device.mediaName |
target.asset.attribute.labels [input_match_device_media_name] |
|
input.match.event.device.bsdMinor |
target.asset.attribute.labels [input_match_device_bsd_minor] |
|
input.match.event.device.vendorName |
target.asset.software.vendor_name |
|
input.match.event.device.isWhole |
target.asset.attribute.labels [input_match_device_is_whole] |
|
input.match.event.device.unit |
target.asset.attribute.labels [input_match_device_unit] |
|
input.match.event.device.deviceSubclass |
target.asset.attribute.labels [input_match_device_subclass] |
|
input.match.event.device.serialNumber |
target.asset.hardware.serial |
|
input.match.event.device.bsdUnit |
target.asset.attribute.labels [input_match_device_bsd_unit] |
|
input.match.event.device.busPath |
target.asset.attribute.labels [input_match_device_bus_path] |
|
input.match.event.device.isLeaf |
target.asset.attribute.labels [input_match_device_is_leaf] |
|
input.match.event.device.isInternal |
target.asset.attribute.labels [input_match_device_is_internal] |
|
input.match.event.device.busName |
target.asset.attribute.labels [input_match_device_bus_name] |
|
input.match.event.device.bsdMajor |
target.asset.attribute.labels [input_match_device_bsd_major] |
|
input.match.event.device.isEjectable |
target.asset.attribute.labels [input_match_device_is_ejectable] |
|
input.match.event.device.isEncrypted |
target.asset.attribute.labels [input_match_device_is_encrypted] |
|
input.match.event.device.isEncryptable |
target.asset.attribute.labels [input_match_device_is_encryptable] |
|
input.match.event.device.devicePath |
target.asset.attribute.labels [input_match_device_path] |
|
input.match.event.device.bsdName |
target.asset.attribute.labels [input_match_device_bsd_name] |
|
input.match.event.device.vendorId |
target.asset.attribute.labels [input_match_device_vendor_id] |
|
input.match.event.device.content |
target.asset.attribute.labels [input_match_device_content] |
|
input.match.event.device.revision |
target.asset.attribute.labels [input_match_device_revision] |
|
input.match.event.device.size |
target.asset.attribute.labels [input_match_device_size] |
|
input.match.event.device.isNetworkVolume |
target.asset.attribute.labels [input_match_device_is_network_volume] |
|
input.match.event.device.blocksize |
target.asset.attribute.labels [input_match_device_block_size] |
|
input.match.event.device.productName |
target.asset.attribute.labels [input_match_device_product_name] |
|
input.match.event.device.mediaKind |
target.asset.attribute.labels [input_match_device_media_kind] |
|
input.match.event.device.isWritable |
target.asset.attribute.labels [input_match_device_is_writable] |
|
input.match.event.device.productId |
target.asset.product_object_id |
|
input.match.event.device.productId |
target.asset.asset_id |
The Asset Id: input.match.event.device.productId log field is mapped to the target.asset.asset_id UDM field. |
input.match.event.device.deviceClass |
target.asset.category |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_device_encryption_detail] |
|
input.match.event.device.volumeKind |
target.asset.attribute.labels [input_match_event_device_volume_kind] |
|
input.match.event.device.volumeName |
target.asset.attribute.labels [input_match_event_device_volume_name] |
|
input.match.event.device.volumeType |
target.asset.attribute.labels [input_match_event_device_volume_type] |
|
input.match.event.device.isMountable |
target.asset.attribute.labels [input_match_event_device_is_mountable] |
|
input.match.event.device.encryptionDetail |
target.asset.attribute.labels [input_match_event_device_encryption_detail] |
|
input.match.event.fsid |
principal.labels [input_match_event_fsid] |
|
input.match.event.bfree |
principal.labels [input_match_event_bfree] |
|
input.match.event.bsize |
principal.labels [input_match_event_bsize] |
|
input.match.event.ffree |
principal.labels [input_match_event_ffree] |
|
input.match.event.files |
principal.labels [input_match_event_files] |
|
input.match.event.flags |
principal.labels [input_match_event_flags] |
|
input.match.event.owner |
principal.user.user_display_name |
|
input.match.event.bavail |
principal.labels [input_match_event_bvail] |
|
input.match.event.blocks |
principal.labels [input_match_event_blocks] |
|
input.match.event.iosize |
principal.labels [input_match_event_iosize] |
|
input.match.event.version |
principal.labels [input_match_event_version] |
|
input.match.event.deadline |
principal.labels [input_match_event_deadline] |
|
input.match.event.flagsExt |
principal.labels [input_match_event_flags_ext] |
|
input.match.event.fsSubType |
principal.labels [input_match_event_fs_subtype] |
|
input.match.event.mntOnName |
principal.labels [input_match_event_mnt_on_name] |
|
input.match.event.fsTypeName |
principal.labels [input_match_event_fs_type_name] |
|
input.match.event.isReadOnly |
principal.labels [input_match_event_is_read_only] |
|
input.match.event.mntFromName |
principal.labels [input_match_event_mnt_from_name] |
|
input.match.event.machTimestamp |
principal.labels [input_match_event_mach_timestamp] |
|
input.match.event.sequenceNumber |
principal.labels [input_match_event_seq_number] |
|
input.match.event.globalSequenceNumber |
principal.labels [input_match_event_global_seq_number] |