本頁面由 Cloud Translation API 翻譯而成。

收集 Jamf Protect 遙測資料 V2 記錄

支援以下發布途徑：

Google secops Siem

本文說明如何設定 Google Security Operations 動態饋給，收集 Jamf Protect 遙測資料第 2 版記錄。這份文件詳細說明如何將 Jamf Protect Telemetry V2 記錄欄位對應至 Google SecOps 中的統一資料模型 (UDM) 欄位，並列出支援的 Jamf Protect Telemetry V2 版本。

詳情請參閱「將資料匯入 Google SecOps」。

一般部署作業會包含 Jamf Protect 遙測資料 V2 和 Google SecOps 動態饋給，並設定為將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同，且可能更為複雜。

部署作業包含下列元件：

Jamf Protect Telemetry V2。您收集記錄的 Jamf Protect 遙測 V2 平台。
Google SecOps 動態消息。Google SecOps 動態饋給，可從 Jamf Protect Telemetry 擷取記錄，並將記錄寫入 Google SecOps。
Google SecOps。Google SecOps 會保留並分析 Jamf Protect 遙測資料第 2 版的記錄。

每個記錄都會使用特定剖析器，將資料標準化為統合式資料模型 (UDM)。本文件中的資訊適用於與 JAMF_TELEMETRY_V2 攝入標籤相關聯的剖析器。

事前準備

確認您已設定最新版的 Jamf Protect Telemetry V2。
請確認您使用的是 Jamf Protect 6.3.2 以上版本。
請確認部署架構中的所有系統都已設定世界標準時間。

在 Google SecOps 中設定動態饋給，以便擷取 Jamf Protect Telemetry 第 2 版記錄

您可以使用 Amazon S3 或 webhook 在 Google SecOps 中設定擷取動態饋給，但我們建議使用 Amazon S3。

使用 Amazon S3 在 Google SecOps 中設定擷取動態饋給

依序前往「SIEM 設定」>「動態」。
按一下 [Add New] (新增)。
選取「Amazon S3」做為「來源類型」。
選取「Jamf Protect Telemetry V2」做為「記錄類型」，建立 Jamf Protect Telemetry V2 的動態饋給。
點按「Next」。
設定下列輸入參數：
- S3 URI：指向 S3 容器的 URI。
- URI 是：URI 所指示的物件類型。
- 來源刪除選項：是否要在轉移後刪除檔案或目錄。
- 選取「Access key」或「Secret Access key」：選擇適當的憑證類型。
- 金鑰/權杖：用於存取 S3 資源的共用金鑰或 SAS 權杖。
依序點選「下一步」和「提交」。
複製動態饋給名稱中的動態饋給 ID，以便在 Jamf Protect 追蹤記錄 V2 中使用。

使用 webhook 在 Google SecOps 中設定擷取動態饋給

依序前往「SIEM 設定」>「動態」。
按一下「新增」。
在「動態饋給名稱」欄位中，輸入動態饋給的名稱。
在「Source type」(來源類型) 清單中，選取「Webhook」。
選取「Jamf Protect Telemetry V2」做為「記錄類型」，建立 Jamf Protect Telemetry V2 的動態饋給。
點按「Next」。
選用：指定下列輸入參數的值：
- 分隔符號：用於分隔記錄行 (例如 \n) 的分隔符號。
- 資產命名空間：資產命名空間。
- 攝入標籤：要套用至這個動態饋給事件的標籤。
點按「Next」。
在「完成」畫面中查看新的動態饋給設定，然後按一下「提交」。
按一下「產生密鑰」，即可產生密鑰來驗證這項動態饋給。
複製並妥善儲存密鑰。您無法再次查看這個密鑰。如有需要，您可以重新產生新的密鑰，但這項操作會使先前的密鑰失效。
在「Details」分頁中，從「Endpoint Information」欄位複製動態饋給端點網址。您需要這個 HTTPS 網址來設定 Jamf Protect 追蹤記錄 V2 用戶端應用程式。
按一下 [完成]。

為 webhook 動態饋給建立 API 金鑰

前往 Google Cloud 控制台 >「憑證」。

前往「憑證」
按一下 [Create credentials] (建立憑證)，然後選取 [API key] (API 金鑰)。
將 API 金鑰的存取權限制在 Google Security Operations API。

為 Webhook 動態饋給設定 Jamf Protect Telemetry V2

在 Jamf Protect Telemetry V2 應用程式中，前往相關的動作設定。
按一下「建立動作」，即可新增資料端點。
選取「HTTP」HTTP做為通訊協定。
在「網址」欄位中輸入 Google Security Operations API 端點的 HTTPS 網址。(這是您從 webhook 動態饋給設定複製的「端點資訊」欄位。已經採用必要格式)。
請按照下列格式，在自訂標頭中指定 API 金鑰和密鑰，啟用驗證功能：
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
建議：請以標頭的形式指定 API 金鑰，而非在網址中指定。如果 webhook 用戶端不支援自訂標頭，您可以使用查詢參數，以以下格式指定 API 金鑰和密鑰：
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
更改下列內容：
- ENDPOINT_URL：動態饋給端點網址。
- API_KEY：用於向 Google Security Operations 驗證的 API 金鑰。
- SECRET：您用來驗證動態饋給而產生的密鑰。
在「收集記錄檔」部分中，選取「遙測」。
點選「提交」。

如要進一步瞭解 Google SecOps 動態饋給，請參閱 Google SecOps 動態饋給說明文件。如要瞭解各個動態饋給類型的規定，請參閱「依類型分類的動態饋給設定」。

如果在建立動態饋給時遇到問題，請與 Google SecOps 支援團隊聯絡。

欄位對應參考資料

本節說明 Google SecOps 剖析器如何將 Jamf Protect 追蹤記錄 V2 欄位對應至 Google SecOps 統一資料模型 (UDM) 欄位。

欄位對應參考資料：事件 ID 與事件類型

下表列出 JAMF_TELEMETRY_V2 記錄類型及其對應的 UDM 事件類型。

Event Identifier	Event Type
`authentication`	`USER_LOGIN`
`bios_uefi`	`STATUS_UPDATE`
`btm_launch_item_add`	`PROCESS_LAUNCH`
`btm_launch_item_remove`	`PROCESS_TERMINATION`
`chroot`	`FILE_MODIFICATION`
`cs_invalidated`	`STATUS_UPDATE`
`exec`	`PROCESS_LAUNCH`
`file_collection`	`STATUS_UPDATE`
`gatekeeper_user_override`	`STATUS_UPDATE`
`kextload`	`STATUS_UPDATE`
`kextunload`	`STATUS_UPDATE`
`log_collection`	`STATUS_UPDATE`
`login_login`	`USER_LOGIN`
`login_logout`	`USER_LOGOUT`
`lw_session_lock`	`USER_LOGOUT`
`lw_session_login`	`USER_LOGIN`
`lw_session_logout`	`USER_LOGOUT`
`lw_session_unlock`	`USER_LOGIN`
`mount`	`STATUS_UPDATE`
`od_attribute_set`	`USER_RESOURCE_UPDATE_CONTENT`
`od_attribute_value_add`	`STATUS_UPDATE`
`od_attribute_value_remove`	`USER_RESOURCE_DELETION`
`od_create_group`	`GROUP_CREATION`
`od_create_user`	`USER_CREATION`
`od_delete_group`	`GROUP_DELETION`
`od_delete_user`	`USER_DELETION`
`od_disable_user`	`USER_UNCATEGORIZED`
`od_enable_user`	`USER_UNCATEGORIZED`
`od_group_add`	`GROUP_MODIFICATION`
`od_group_remove`	`GROUP_MODIFICATION`
`od_group_set`	`GROUP_MODIFICATION`
`od_modify_password`	`USER_CHANGE_PASSWORD`
`openssh_login`	`USER_LOGIN`
`openssh_logout`	`USER_LOGOUT`
`sudo`	`STATUS_UPDATE`
`system_performance`	`STATUS_UPDATE`
`unmount`	`STATUS_UPDATE`
`profile_add`	`SETTING_CREATION`
`profile_remove`	`SETTING_DELETION`
`remount`	`RESOURCE_CREATION`
`screensharing_attach`	`USER_LOGIN`
`screensharing_detach`	`USER_LOGOUT`
`settime`	`STATUS_UPDATE`
`su`	`USER_LOGIN`
`xp_malware_detected`	`SCAN_FILE`
`xp_malware_remediated`	`SCAN_FILE`

欄位對應參考資料：JAMF_TELEMETRY_V2 - 常用欄位

下表列出 JAMF_TELEMETRY_V2 記錄類型的常見欄位，以及對應的 UDM 欄位。

Log field	UDM mapping	Logic
`action.result.result.auth`	`security_result.action`	If the event_type log field value is < `8000`, and not equal to `113` or `112`, and the action.result.result.auth field is equal to 1, then set `security_result.action` to BLOCK. Else, set `security_result.action` to ALLOW
	`principal.platform`	The `principal.platform` UDM field is set to `MAC`.
`uuid`	`metadata.product_log_id`
`time`	`metadata.event_timestamp`
`metadata.product`	`metadata.product_name`
`host.protectVersion`	`metadata.product_version`
`metadata.vendor`	`metadata.vendor_name`
`host.hostname`	`principal.asset.hostname`
`host.os`	`principal.platform_version`
`host.provisioningUDID`	`principal.asset_id`
`host.serial`	`principal.asset.hardware.serial_number`
`host.ips`	`principal.ip`	Iterate through log field `host.ips`, then `host.ips` log field is mapped to the `principal.ip` UDM field.
`event_type`	`additional.fields[event_type]`
`global_seq_num`	`additional.fields[global_seq_num]`
`process.executable.path`	`src.process.file.full_path`
`process.executable.stat.st_dev`	`src.process.file.stat_dev`
`process.executable.stat.st_flags`	`src.process.file.stat_flags`
`process.executable.stat.st_ino`	`src.process.file.stat_inode`
`process.executable.stat.st_mode`	`src.process.file.stat_mode`
`process.executable.stat.st_mtimespec`	`src.process.file.last_modification_time`
`process.executable.stat.st_atimespec`	`src.process.file.last_access_time`
`process.executable.stat.st_nlink`	`src.process.file.stat_nlink`
`process.executable.stat.st_size`	`src.process.file.size`
`process.executable.sha256`	`src.process.file.sha256`
`process.executable.sha1`	`src.process.file.sha1`
`process.signing_id`	`src.process.file.signature_info.codesign.id`
`process.team_id`	`additional.fields[process_team_id]`
`process.ppid`	`additional.fields[process_ppid]`
`process.codesigning_flags`	`additional.fields[process_codesigning_flags]`
`process.cdhash`	`additional.fields[process_cdhash]`
`process.is_platform_binary`	`additional.fields[process_is_platform_binary]`
`process.is_es_client`	`additional.fields[process_is_es_client]`
`process.group_id`	`additional.fields[process_group_id]`
`process.original_ppid`	`additional.fields[process_original_ppid]`
`process.session_id`	`additional.fields[process_session_id]`
`thread.uuid`	`additional.fields[thread_uuid]`
`thread.thread_id`	`additional.fields[thread_id]`
`seq_num`	`additional.fields[seq_num]`
`mach_time`	`additional.fields[mach_time]`
`version`	`additional.fields[version]`
`process.audit_token.euid`	`src.process.euid`
`process.audit_token.ruid`	`src.process.ruid`
`process.audit_token.egid`	`src.process.egid`
`process.audit_token.rgid`	`src.process.rgid`
`process.audit_token.pgid`	`src.process.pgid`
`process.audit_token.pid`	`src.process.pid`
`process.audit_token.uuid`	`src.process.product_specific_process_id`
`process.audit_token.signing_id`	`additional.fields[process_audit_token_signing_id]`
`process.parent_audit_token.euid`	`src.process.parent_process.euid`
`process.parent_audit_token.ruid`	`src.process.parent_process.ruid`
`process.parent_audit_token.egid`	`src.process.parent_process.egid`
`process.parent_audit_token.rgid`	`src.process.parent_process.rgid`
`process.parent_audit_token.pgid`	`src.process.parent_process.pgid`
`process.parent_audit_token.pid`	`src.process.parent_process.pid`
`process.parent_audit_token.uuid`	`src.process.parent_process.product_specific_process_id`
`process.parent_audit_token.signing_id`	`src.process.parent_process.file.signature_info.codesign.id`

欄位對應參考資料：將原始記錄欄位對應至 `event_type` 的 UDM 欄位。

`event_type: remount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `remount`.
	`metadata.description`	`A file system has been remounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `RESOURCE_CREATION`.
	`principal.user.userid`	The `principal.user.userid` UDM field is set to `null`.
`event.remount.statfs.f_owner`	`target.user.userid`
`event.remount.device.size`	`target.file.size`
`event.remount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.remount.statfs.f_mntfromname`	`src.resource.name`
`event.remount.statfs.f_mntonname`	`target.resource.name`

`event_type: screensharing_attach`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `screensharing_attach`.
	`metadata.description`	`A screen sharing session has attached to a graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
`event.screensharing_attach.source_address`	`src.ip`
`event.screensharing_attach.authentication_username`	`target.user.user_display_name`
`event.screensharing_attach.session_username`	`principal.user.user_display_name`
`event.screensharing_attach.viewer_appleid`	`additional.fields[screensharing_attach.viewer_appleid]`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.
	`security_result.category`	If the `event.screensharing_attach.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: su`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `su`.
	`metadata.description`	`A user attempts to start a new shell using a substitute user identity.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.su.argv`	`target.process.command_line`	If the `event.su.argc` log field value is not equal to `0` then, iterate through log field `event.su.argv`, then `event.su.argv` log field is mapped to the `target.process.command_line` UDM field.
`event.su.to_uid`	`target.user.userid`
`event.su.to_username`	`target.user.user_display_name`
`event.su.from_uid`	`principal.user.userid`
`event.su.from_username`	`principal.user.user_display_name`

`event_type: settime`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `settime`.
	`metadata.description`	`The system time was attempted to be set.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.

`event_type: screensharing_detach`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `screensharing_detach`.
	`metadata.description`	`A screen sharing session has detached from a graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`target.user.user_display_name`	The `target.user.user_display_name` UDM field is set to `null`.
`event.screensharing_detach.source_address`	`src.ip`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `mechanism`.

`event_type: xp_malware_remediated`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `xp_malware_remediated`.
	`metadata.description`	`Apple's XProtect remediated malware on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_FILE`.
`action.result.result.auth`	`security_result.action`
`event.xp_malware_remediated.remediated_path`	`target.file.full_path`
`event.xp_malware_remediated.action_type`	`additional.fields[xp_malware_remediated.action_type]`
`event.xp_malware_remediated.success`	`additional.fields[xp_malware_remediated.success]`
`event.xp_malware_remediated.incident_identifier`	`security_result.threat_id`
`event.xp_malware_remediated.malware_identifier`	`security_result.threat_name`
`event.xp_malware_remediated.signature_version`	`security_result.rule_id`

`event_type: xp_malware_detected`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `xp_malware_detected`.
	`metadata.description`	`Apple's XProtect detected malware on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_FILE`.
`action.result.result.auth`	`security_result.action`
`event.xp_malware_detected.detected_path`	`target.file.full_path`
`event.xp_malware_detected.incident_identifier`	`security_result.threat_id`
`event.xp_malware_detected.malware_identifier`	`security_result.threat_name`

`event_type: authentication`

Log field	UDM mapping	Logic
	`Check additional fields in conf`
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `authentication`.
	`metadata.description`	`A user authentication has occurred.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
`event.authentication.data.od.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.od.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`	`JamfProtect:%{event.authentication.data.od.instigator.audit_token.uuid}` log field is mapped to the `principal.process.product_specific_process_id` UDM field.
`event.authentication.data.od.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.od.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.od.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.od.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.od.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.od.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.authentication.data.od.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.authentication.data.od.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.authentication.data.od.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.authentication.data.od.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.authentication.data.od.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.authentication.data.od.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`	`JamfProtect:%{event.authentication.data.od.instigator.parent_audit_token.uuid}` log field is mapped to the `principal.process.parent_process.product_specific_process_id` UDM field.
`event.authentication.data.od.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.od.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.od.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.od.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.od.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.od.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.od.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.od.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.od.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.od.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.od.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.od.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.od.instigator.signing_id`	`additional.fields[authentication_data_od_instigator_signing_id]`
`event.authentication.data.od.instigator.team_id`	`additional.fields[authentication_data_od_instigator_team_id]`
`event.authentication.data.od.instigator.ppid`	`rincipal.process.parent_process.pid`
`event.authentication.data.od.instigator.codesigning_flags`	`additional.fields[codesigning_flags]`
`event.authentication.data.od.instigator.cdhash`	`additional.fields[cdhash]`
`event.authentication.data.od.instigator.is_platform_binary`	`additional.fields[is_platform_binary]`
`event.authentication.data.od.instigator.is_es_client`	`additional.fields[is_es_client]`
`event.authentication.data.od.instigator.group_id`	`additional.fields[group_id]`
`event.authentication.data.od.instigator.original_ppid`	`additional.fields[original_ppid]`
`event.authentication.data.od.instigator.session_id`	`additional.fields[session_id]`
`event.authentication.data.touchid.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.touchid.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.touchid.instigator.audit_token.egid`	`principal.process.egid`
`event.authentication.data.touchid.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.touchid.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.touchid.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.touchid.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.authentication.data.touchid.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.touchid.instigator.parent_audit_token.euid`	`principal.parent_process.parent_process.euid`
`event.authentication.data.touchid.instigator.parent_audit_token.ruid`	`principal.parent_process.parent_process.ruid`
`event.authentication.data.touchid.instigator.parent_audit_token.egid`	`principal.parent_process.parent_process.egid`
`event.authentication.data.touchid.instigator.parent_audit_token.rgid`	`principal.parent_process.parent_process.rgid`
`event.authentication.data.touchid.instigator.parent_audit_token.pgid`	`principal.parent_process.parent_process.pgid`
`event.authentication.data.touchid.instigator.parent_audit_token.pid`	`principal.parent_process.parent_process.pid`
`event.authentication.data.touchid.instigator.parent_audit_token.uuid`	`principal.parent_process.product_specific_process_id`
`event.authentication.data.touchid.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.touchid.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.touchid.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.touchid.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.touchid.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.touchid.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.touchid.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.touchid.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.touchid.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.touchid.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.touchid.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.touchid.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.touchid.instigator.signing_id`	`additional.fields[authentication_data_touch_id_instigator_signing_id]`
`event.authentication.data.touchid.instigator.team_id`	`additional.fields[authentication_data_touch_id_instigator_team_id]`
`event.authentication.data.touchid.instigator.ppid`	`additional.fields[authentication_data_touch_id_instigator_ppid]`
`event.authentication.data.touchid.instigator.codesigning_flags`	`additional.fields[touchid_instigator_codesigning_flags]`
`event.authentication.data.touchid.instigator.cdhash`	`additional.fields[touchid_instigator_cdhash]`
`event.authentication.data.touchid.instigator.is_platform_binary`	`additional.fields[touchid_instigator_is_platform_binary]`
`event.authentication.data.touchid.instigator.is_es_client`	`additional.fields[touchid_instigator_is_es_client]`
`event.authentication.data.touchid.instigator.group_id`	`additional.fields[touchid_instigator_group_id]`
`event.authentication.data.touchid.instigator.original_ppid`	`additional.fields[touchid_instigator_original_ppid]`
`event.authentication.data.touchid.instigator.session_id`	`additional.fields[touchid_instigator_session_id]`
`event.authentication.data.token.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.token.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.token.instigator.audit_token.egid`	`principal.process.egid`
`event.authentication.data.token.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.token.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.token.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.token.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.authentication.data.token.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.token.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.authentication.data.token.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.authentication.data.token.instigator.parent_audit_token.egid`	`process.parent_process.egid`
`event.authentication.data.token.instigator.parent_audit_token.rgid`	`process.parent_process.rgid`
`event.authentication.data.token.instigator.parent_audit_token.pgid`	`process.parent_process.pgid`
`event.authentication.data.token.instigator.parent_audit_token.pid`	`process.parent_process.pid`
`event.authentication.data.token.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.authentication.data.token.instigator.parent_audit_token.signing_id`	`process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.token.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.token.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.token.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.token.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.token.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.token.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.token.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.token.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.token.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.token.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.token.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.token.instigator.signing_id`	`additional.fields[authentication_data_token_instigator_signing_id]`
`event.authentication.data.token.instigator.team_id`	`additional.fields[authentication_data_token_instigator_team_id]`
`event.authentication.data.token.instigator.ppid`	`additional.fields[authentication_data_token_instigator_ppid]`
`event.authentication.data.token.instigator.codesigning_flags`	`additional.fields[instigator_codesigning_flags]`
`event.authentication.data.token.instigator.cdhash`	`additional.fields[instigator_cdhash]`
`event.authentication.data.token.instigator.is_platform_binary`	`additional.fields[instigator_is_platform_binary]`
`event.authentication.data.token.instigator.is_es_client`	`additional.fields[instigator_is_es_client]`
`event.authentication.data.token.instigator.group_id`	`additional.fields[instigator_group_id]`
`event.authentication.data.token.instigator.original_ppid`	`additional.fields[instigator_original_ppid]`
`event.authentication.data.token.instigator.session_id`	`additional.fields[instigator_session_id]`
`event.authentication.data.od.record_name`	`target.user.user_display_name`
`event.authentication.data.od.db_path`	`additional.fields[db_path]`
`event.authentication.data.od.node_name`	`additional.fields[node_name]`
`event.authentication.data.od.record_type`	`additional.fields[record_type]`
`event.authentication.data.touchid.uid`	`target.user.userid`
`event.authentication.data.touchid.touchid_mode`	`additional.fields[authentication_data_touchid_touchid_mode]`
`event.authentication.data.token.pubkey_hash`	`additional.fields[authentication_data_token_pubkey_hash]`
`event.authentication.data.token.token_id`	`additional.fields[authentication_data_token_token_id]`
`event.authentication.data.token.kerberos_principal`	`additional.fields[authentication_data_token_kerberos_principal]`
`event.authentication.data.auto_unlock.username`	`target.user.user_display_name`
`event.authentication.data.auto_unlock.type`	`additional.fields[authentication_data_auto_unlock_type]`
`event.authentication.type`	`extensions.auth.mechanism`	If the `event.authentication.type` log field value is equal to `0` then, the `extensions.auth.mechanism` UDM field is set to `USERNAME_PASSWORD`. Else If the `event.authentication.type` log field value is equal to `1` then, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_OTHER`. Else If the `event.authentication.type` log field value is equal to `2` then, the `extensions.auth.mechanism` UDM field is set to `HARDWARE_KEY`. Else, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_OTHER`.
`event.authentication.success`	`security_result.category`	If the `event.authentication.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: btm_launch_item_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `btm_launch_item_add`.
	`metadata.description`	`Apple's Background Task Manager notifies that a new persistence item has been added.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_LAUNCH`.
`event.btm_launch_item_add.instigator.audit_token.euid`	`principal.process.euid`
`event.btm_launch_item_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.btm_launch_item_add.instigator.audit_token.egid`	`principal.process.egid`
`event.btm_launch_item_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.btm_launch_item_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.btm_launch_item_add.instigator.audit_token.pid`	`principal.process.pid`
`event.btm_launch_item_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.btm_launch_item_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.btm_launch_item_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.btm_launch_item_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.btm_launch_item_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.btm_launch_item_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.btm_launch_item_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.btm_launch_item_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.btm_launch_item_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.btm_launch_item_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_add.instigator.executable.path`	`principal.process.file.full_path`
`event.btm_launch_item_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.btm_launch_item_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.btm_launch_item_add.instigator.executable.stat.stat_inode`	`principal.process.file.stat_inode`
`event.btm_launch_item_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.btm_launch_item_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.btm_launch_item_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.btm_launch_item_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.btm_launch_item_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.btm_launch_item_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.btm_launch_item_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.btm_launch_item_add.instigator.signing_id`	`additional.fields[btm_launch_item_add_data_token_instigator_signing_id]`
`event.btm_launch_item_add.instigator.team_id`	`additional.fields[btm_launch_item_add_data_token_instigator_team_id]`
`event.btm_launch_item_add.instigator.ppid`	`additional.fields[btm_launch_item_add_data_token_instigator_ppid]`
`event.btm_launch_item_add.instigator.codesigning_flags`	`additional.fields[btm_launch_item_add_instigator_codesigning_flags]`
`event.btm_launch_item_add.instigator.cdhash`	`additional.fields[btm_launch_item_add_instigator_cdhash]`
`event.btm_launch_item_add.instigator.is_platform_binary`	`additional.fields[btm_launch_item_add_instigator_is_platform_binary]`
`event.btm_launch_item_add.instigator.is_es_client`	`additional.fields[btm_launch_item_add_instigator_is_es_client]`
`event.btm_launch_item_add.instigator.group_id`	`additional.fields[btm_launch_item_add_instigator_group_id]`
`event.btm_launch_item_add.instigator.original_ppid`	`additional.fields[btm_launch_item_add_instigator_original_ppid]`
`event.btm_launch_item_add.instigator.session_id`	`additional.fields[btm_launch_item_add_instigator_session_id]`
`event.btm_launch_item_add.app.audit_token.euid`	`target.process.euid`
`event.btm_launch_item_add.app.audit_token.ruid`	`target.process.ruid`
`event.btm_launch_item_add.app.audit_token.egid`	`target.process.egid`
`event.btm_launch_item_add.app.audit_token.rgid`	`target.process.rgid`
`event.btm_launch_item_add.app.audit_token.pgid`	`target.process.pgid`
`event.btm_launch_item_add.app.audit_token.pid`	`target.process.pid`
`event.btm_launch_item_add.app.audit_token.uuid`	`target.process.product_specific_process_id`
`event.btm_launch_item_add.app.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`
`event.btm_launch_item_add.app.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.btm_launch_item_add.app.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.btm_launch_item_add.app.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.btm_launch_item_add.app.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.btm_launch_item_add.app.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.btm_launch_item_add.app.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.btm_launch_item_add.app.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_add.app.executable.path`	`target.process.file.full_path`
`event.btm_launch_item_add.app.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.btm_launch_item_add.app.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.btm_launch_item_add.app.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.btm_launch_item_add.app.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.btm_launch_item_add.app.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.btm_launch_item_add.app.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.btm_launch_item_add.app.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.btm_launch_item_add.app.executable.stat.st_size`	`target.process.file.size`
`event.btm_launch_item_add.app.executable.sha256`	`target.process.file.sha256`
`event.btm_launch_item_add.app.executable.sha1`	`target.process.file.sha1`
`event.btm_launch_item_add.app.signing_id`	`additional.fields[btm_launch_item_add_app_signing_id]`
`event.btm_launch_item_add.app.team_id`	`additional.fields[btm_launch_item_add_app_team_id]`
`event.btm_launch_item_add.app.ppid`	`additional.fields[btm_launch_item_add_app_ppid]`
`event.btm_launch_item_add.app.codesigning_flags`	`additional.fields[btm_launch_item_add_app_codesigning_flags]`
`event.btm_launch_item_add.app.cdhash`	`additional.fields[btm_launch_item_add_app_cdhash]`
`event.btm_launch_item_add.app.is_platform_binary`	`additional.fields[btm_launch_item_add_app_is_platform_binary]`
`event.btm_launch_item_add.app.is_es_client`	`additional.fields[btm_launch_item_add_app_is_es_client]`
`event.btm_launch_item_add.app.group_id`	`additional.fields[btm_launch_item_add_app_group_id]`
`event.btm_launch_item_add.app.original_ppid`	`additional.fields[btm_launch_item_add_app_group_id]`
`event.btm_launch_item_add.app.session_id`	`additional.fields[btm_launch_item_add_app_session_id]`
`event.btm_launch_item_add.executable_path`	`target.file.full_path`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `4` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `3` and if the `event.btm_launch_item_add.executable_path` log field value is `not empty` and if the `event.btm_launch_item_add.executable_path` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.executable_path` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_add.executable_path` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.executable_path}` log field is mapped to the `target.file.full_path` UDM field. Else If the `event.btm_launch_item_add.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_add.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_add.item.item_url` log field is mapped to the `target.resource.name` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url}` log field is mapped to the `target.resource.name` UDM field.
`event.btm_launch_item_add.item.item_url`	`target.file.full_path`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `0` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `1` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `2` and if the `event.btm_launch_item_add.item.item_url` log field value is not empty and if the `event.btm_launch_item_add.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then the `event.btm_launch_item_add.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_add.item.uid`	`target.user.userid`
`event.btm_launch_item_add.item.item_type`	`target.application`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `0` then, the `target.application` UDM field is set to `USER_ITEM`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `1` then, the `target.application` UDM field is set to `APP`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `2` then, the `target.application` UDM field is set to `LOGIN_ITEM`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `3` then, the `target.application` UDM field is set to `AGENT`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `4` then, the `target.application` UDM field is set to `DAEMON`.
`event.btm_launch_item_add.item.managed`	`additional.fields[btm_launch_item_add_item_managed]`
`event.btm_launch_item_add.item.legacy`	`additional.fields[btm_launch_item_add_item_legacy]`

`event_type: btm_launch_item_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `btm_launch_item_remove`.
	`metadata.description`	`Apple's Background Task Manager notified that an item has been removed.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_TERMINATION`.
`event.btm_launch_item_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.btm_launch_item_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.btm_launch_item_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.btm_launch_item_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.btm_launch_item_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.btm_launch_item_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.btm_launch_item_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.btm_launch_item_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.btm_launch_item_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.btm_launch_item_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.btm_launch_item_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.btm_launch_item_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.btm_launch_item_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.btm_launch_item_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.btm_launch_item_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.btm_launch_item_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.btm_launch_item_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.btm_launch_item_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.btm_launch_item_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.btm_launch_item_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.btm_launch_item_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.btm_launch_item_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.btm_launch_item_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.btm_launch_item_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.btm_launch_item_remove.instigator.codesigning_flags`	`additional.fields[btm_launch_item_remove_instigator_codesigning_flags]`
`event.btm_launch_item_remove.instigator.cdhash`	`additional.fields[btm_launch_item_remove_instigator_cdhash]`
`event.btm_launch_item_remove.instigator.is_es_client`	`additional.fields[btm_launch_item_remove_instigator_is_es_client]`
`event.btm_launch_item_remove.instigator.group_id`	`additional.fields[btm_launch_item_remove_instigator_group_id]`
`event.btm_launch_item_remove.instigator.original_ppid`	`additional.fields[btm_launch_item_remove_instigator_original_ppid]`
`event.btm_launch_item_remove.instigator.session_id`	`additional.fields[btm_launch_item_remove_instigator_session_id]`
`event.btm_launch_item_remove.app.audit_token.euid`	`target.process.euid`
`event.btm_launch_item_remove.app.audit_token.ruid`	`target.process.ruid`
`event.btm_launch_item_remove.app.audit_token.egid`	`target.process.egid`
`event.btm_launch_item_remove.app.audit_token.rgid`	`target.process.rgid`
`event.btm_launch_item_remove.app.audit_token.pgid`	`target.process.pgid`
`event.btm_launch_item_remove.app.audit_token.pid`	`target.process.pid`
`event.btm_launch_item_remove.app.audit_token.uuid`	`target.process.product_specific_process_id`
`event.btm_launch_item_remove.app.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.app.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.btm_launch_item_remove.app.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.btm_launch_item_remove.app.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.btm_launch_item_remove.app.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.btm_launch_item_remove.app.parent_audit_token.pgid`	`target.process.parent_process.pgid`
`event.btm_launch_item_remove.app.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.btm_launch_item_remove.app.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.btm_launch_item_remove.app.executable.path`	`target.process.file.full_path`
`event.btm_launch_item_remove.app.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.btm_launch_item_remove.app.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.btm_launch_item_remove.app.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.btm_launch_item_remove.app.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.btm_launch_item_remove.app.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.btm_launch_item_remove.app.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.btm_launch_item_remove.app.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.btm_launch_item_remove.app.executable.stat.st_size`	`target.process.file.size`
`event.btm_launch_item_remove.app.executable.sha256`	`target.process.file.sha256`
`event.btm_launch_item_remove.app.executable.sha1`	`target.process.file.sha1`
`event.btm_launch_item_remove.app.signing_id`	`additional.fields[btm_launch_item_remove_app_signing_id]`
`event.btm_launch_item_remove.app.team_id`	`additional.fields[btm_launch_item_remove_app_team]`
`event.btm_launch_item_remove.app.ppid`	`additional.fields[btm_launch_item_remove_app_ppid]`
`event.btm_launch_item_remove.app.codesigning_flags`	`additional.fields[btm_launch_item_remove_app_codesigning_flags]`
`event.btm_launch_item_remove.app.cdhash`	`additional.fields[btm_launch_item_remove_app_cdhash]`
`event.btm_launch_item_remove.app.is_platform_binary`	`additional.fields[additional.fields[btm_launch_item_remove_app_cdhash]]`
`event.btm_launch_item_remove.app.is_es_client`	`additional.fields[additional.fields[btm_launch_item_remove_app_is_es_client]]`
`event.btm_launch_item_remove.app.group_id`	`additional.fields[additional.fields[btm_launch_item_remove_app_group_id]]`
`event.btm_launch_item_remove.app.original_ppid`	`additional.fields[additional.fields[btm_launch_item_remove_app_original_ppid]]`
`event.btm_launch_item_remove.app.session_id`	`additional.fields[additional.fields[btm_launch_item_remove_app_session_id]]`
`event.btm_launch_item_remove.item.app_url`	`target.file.full_path`	If the `event.btm_launch_item_remove.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_remove.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_remove.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_remove.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_remove.item.item_url`	`target.file.full_path`	If the `event.btm_launch_item_remove.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_remove.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_remove.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_remove.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_remove.item.uid`	`target.user.userid`
`event.btm_launch_item_remove.executable_path`	`target.file.full_path`
`event.btm_launch_item_remove.item.item_type`	`target.application`	If the `event.btm_launch_item_remove.item.item_type` log field value is equal to `0` then, the `target.application` UDM field is set to `USER_ITEM`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `1` then, the `target.application` UDM field is set to `APP`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `2` then, the `target.application` UDM field is set to `LOGIN_ITEM`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `3` then, the `target.application` UDM field is set to `AGENT`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `4` then, the `target.application` UDM field is set to `DAEMON`.
`event.btm_launch_item_remove.item.managed`	`additional.fields[btm_launch_item_remove_item_managed]`
`event.btm_launch_item_remove.item.legacy`	`additional.fields[btm_launch_item_remove_item_legacy]`
`event.btm_launch_item_remove.app.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`

`event_type: chroot`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `chroot`.
	`metadata.description`	`A piece of software has changed its apparent root directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `FILE_MODIFICATION`.
`event.chroot.target.path`	`target.file.full_path`
`event.chroot.target.stat.st_dev`	`target.file.stat_dev`
`event.chroot.target.stat.st_flags`	`target.file.stat_flags`
`event.chroot.target.stat.st_ino`	`target.file.stat_inode`
`event.chroot.target.stat.st_mode`	`target.file.stat_mode`
`event.chroot.target.stat.st_mtimespec`	`target.file.last_modification_time`
`event.chroot.target.stat.st_atimespec`	`target.file.last_access_time`
`event.chroot.target.stat.st_nlink`	`target.file.stat_nlink`
`event.chroot.target.stat.st_size`	`target.file.size`
`event.chroot.target.sha256`	`target.file.sha256`
`event.chroot.target.sha1`	`target.file.sha1`

`event_type: exec`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `exec`.
	`metadata.description`	`An executable has been loaded into memory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_LAUNCH`.
`process.responsible_audit_token.euid`	`principal.process.euid`
`process.responsible_audit_token.ruid`	`principal.process.ruid`
`process.responsible_audit_token.egid`	`principal.process.egid`
`process.responsible_audit_token.rgid`	`principal.process.rgid`
`process.responsible_audit_token.pgid`	`principal.process.pgid`
`process.responsible_audit_token.pid`	`principal.process.pid`
`process.responsible_audit_token.uuid`	`principal.process.product_specific_process_id`
`process.responsible_audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.exec.target.audit_token.euid`	`target.process.euid`
`event.exec.target.audit_token.ruid`	`target.process.ruid`
`event.exec.target.audit_token.egid`	`target.process.egid`
`event.exec.target.audit_token.rgid`	`target.process.rgid`
`event.exec.target.audit_token.pgid`	`target.process.pgid`
`event.exec.target.audit_token.pid`	`target.process.pid`
`event.exec.target.audit_token.uuid`	`target.process.product_specific_process_id`
`event.exec.target.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.exec.target.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.exec.target.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.exec.target.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.exec.target.parent_audit_token.pgid`	`target.process.parent_process.pgid`
`event.exec.target.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.exec.target.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.exec.target.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`
`event.exec.target.executable.path`	`target.process.file.full_path`
`event.exec.target.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.exec.target.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.exec.target.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.exec.target.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.exec.target.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.exec.target.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.exec.target.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.exec.target.executable.stat.st_size`	`target.process.file.size`
`event.exec.target.executable.sha256`	`target.process.file.sha256`
`event.exec.target.executable.sha1`	`target.process.file.sha1`
`event.exec.target.signing_id`	`additional.fields[exec_target_signing_id]`
`event.exec.target.team_id`	`additional.fields[exec_target_team_id]`
`event.exec.target.ppid`	`additional.fields[exec_target_ppid]`
`event.exec.target.codesigning_flags`	`additional.fields[exec_target_codesigning_flags]`
`event.exec.target.cdhash`	`additional.fields[exec_target_cdhash]`
`event.exec.target.is_platform_binary`	`additional.fields[exec_target_is_platform_binary]`
`event.exec.target.is_es_client`	`additional.fields[exec_target_is_es_client]`
`event.exec.target.group_id`	`additional.fields[exec_target_group_id]`
`event.exec.target.original_ppid`	`additional.fields[exec_target_original_ppid]`
`event.exec.target.session_id`	`additional.fields[exec_target_session_id]`
`event.exec.args`	`target.process.command_line`
`event.exec.cwd.path`	`additional.fields[exec_cwd_path]`
`event.exec.dyld_exec_path`	`additional.fields[exec_dyld_exec_path]`
`event.exec.script.path`	`additional.fields[exec_script_path]`
`event.exec.tty.path`	`additional.fields[exec_tty_path]`
`event.exec.image_cpusubtype`	`additional.fields[exec_image_cpusubtype]`
`event.exec.image_cputype`	`additional.fields[exec_image_cputype]`
`event.exec.target.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`

`event_type: file_collection`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `file_collection`.
	`metadata.description`	`Event occurs when data from a Diagnsostic or Crash Report file is collected from the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.file_collection.path`	`target.file.path`
`event.file_collection.size`	`target.file.size`
`event.file_collection.contents`	`additional.fields[file_collection_contents]`

`event_type: kextload`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `kextload`.
	`metadata.description`	`A kernel extension (kext) was loaded.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.kextload.identifier`	`target.resource.name`

`event_type: kextunload`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `kextunload`.
	`metadata.description`	`A kernel extension (kext) was unloaded.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.kextunload.identifier`	`target.resource.name`

`event_type: log_collection`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `log_collection`.
	`metadata.description`	`Collection of entries from a local log file.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.log_collection.texts`	`target.file.names`
`event.log_collection.path.0`	`target.file.full_path`

`event_type: login_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `login_login`.
	`metadata.description`	`A user attempted to log in via /usr/bin/login.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.login_login.uid`	`target.user.userid`
`event.login_login.username`	`target.user.user_display_name`
`event.login_login.success`	`security_result.category`	If the `event.login_login.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.
`event.login_login.failure_message`	`security_result.category_details`	If the `event.login_login.success` log field value is equal to `false` then, `event.login_login.failure_message` log field is mapped to the `security_result.category_details` UDM field.

`event_type: login_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `login_logout`.
	`metadata.description`	`A user logged out via /usr/bin/login.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.login_logout.uid`	`target.user.userid`
`event.login_logout.username`	`target.user.user_display_name`

`event_type: lw_session_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_login`.
	`metadata.description`	`A user has logged in via the Login Window.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_login.username`	`target.user.user_display_name`

`event_type: bios_uefi`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `bios_uefi`.
	`metadata.description`	`Information about the current version of bios and uefi on the device.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.bios_uefi.firmware-version`	`additional.fields[bios_uefi_firmware_version]`
`event.bios_uefi.system-firmware-version`	`additional.fields[bios_uefi_system_firmware_version]`
`event.bios_uefi.architecture`	`additional.fields[bios_uefi_architecture]`
`event.bios_uefi.bios.firmware-version`	`additional.fields[bios_uefi_bios_firmware_version]`
`event.bios_uefi.bios.vendor`	`additional.fields[bios_uefi_bios_vendor]`
`event.bios_uefi.bios.firmware-features`	`additional.fields[bios_uefi_bios_firmware_features]`
`event.bios_uefi.bios.rom-size`	`additional.fields[bios_uefi_bios_rom_size]`
`event.bios_uefi.bios.booter-version`	`additional.fields[bios_uefi_bios_booter_version]`

`event_type: cs_invalidated`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `cs_invalidated`.
	`metadata.description`	`A process has had its code signature marked as invalid.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.

`event_type: gatekeeper_user_override`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `gatekeeper_user_override`.
	`metadata.description`	`A user overrides Gatekeeper.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.gatekeeper_user_override.file.path`	`target.file.full_path`
`event.gatekeeper_user_override.file.stat.st_dev`	`target.file.stat_dev`
`event.gatekeeper_user_override.file.stat.st_flags`	`target.file.stat_flags`
`event.gatekeeper_user_override.file.stat.st_ino`	`target.file.stat_inode`
`event.gatekeeper_user_override.file.stat.st_mode`	`target.file.stat_mode`
`event.gatekeeper_user_override.file.stat.st_mtimespec`	`target.file.last_modification_time`
`event.gatekeeper_user_override.file.stat.st_atimespec`	`target.file.last_access_time`
`event.gatekeeper_user_override.file.stat.st_nlink`	`target.file.stat_nlink`
`event.gatekeeper_user_override.file.stat.st_size`	`target.file.size`
`event.gatekeeper_user_override.file.sha256`	`target.file.sha256`
`event.gatekeeper_user_override.file.sha1`	`target.file.sha1`
`event.gatekeeper_user_override.signing_info.signing_id`	`additional.fields[exec_gatekeeper_user_override_signing_info_signing_id]`
`event.gatekeeper_user_override.signing_info.team_id`	`additional.fields[gatekeeper_user_override_signing_info_team_id]`
`event.gatekeeper_user_override.signing_info.cdhash`	`additional.fields[gatekeeper_user_override_signing_info_cdhash]`
`event.gatekeeper_user_override.file_type`	`additional.fields[gatekeeper_user_override_file_type]`
`event.gatekeeper_user_override.sha256`	`additional.fields[gatekeeper_user_override_sha256]`

`event_type: lw_session_unlock`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_unlock`.
	`metadata.description`	`A user has unlocked the screen from the Login Window.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_unlock.username`	`target.user.user_display_name`

`event_type: lw_session_lock`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_lock`.
	`metadata.description`	`A user has locked the screen.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_lock.username`	`target.user.user_display_name`

`event_type: lw_session_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_logout`.
	`metadata.description`	`A user has logged out of an active graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_logout.username`	`target.user.user_display_name`

`event_type: mount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `mount`.
	`metadata.description`	`A file system has been mounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.mount.statfs.f_owner`	`principal.user.userid`
`event.mount.device.size`	`target.file.size`
`event.mount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.mount.statfs.f_mntfromname`	`src.resource.name`
`event.mount.statfs.f_mntonname`	`target.resource.name`
`event.mount.device.protocol`	`additional.fields[mount_device_protocol]`
`event.mount.disposition`	`additional.fields[mount_disposition]`
`event.mount.device.serial_number`	`target.asset.hardware.serial_number`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.serial_number` log field is mapped to the `target.asset.hardware.serial_number` UDM field.
`event.mount.device.vendor_name`	`target.asset.hardware.manufacturer`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.vendor_name` log field is mapped to the `target.asset.hardware.manufacturer` UDM field.
`event.mount.device.device_model`	`target.asset.hardware.model`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.device_model` log field is mapped to the `target.asset.hardware.model` UDM field.

`event_type: od_attribute_set`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_set`.
	`metadata.description`	`Attribute set on user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_RESOURCE_UPDATE_CONTENT`.
`event.od_attribute_set.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_set.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_set.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_set.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_set.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_set.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_set.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_set.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_set.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_set.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_set.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_set.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_set.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_set.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_set.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_set.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_set.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_set.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_set.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_set.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_set.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_set.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_set.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_set.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_set.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_set.instigator.signing_id`	`additional.fields[od_attribute_set_instigator_signing_id]`
`event.od_attribute_set.instigator.team_id`	`additional.fields[od_attribute_set_instigator_team_id]`
`event.od_attribute_set.instigator.ppid`	`additional.fields[od_attribute_set_instigator_codesigning_flags]`
`event.od_attribute_set.instigator.codesigning_flags`	`additional.fields[od_attribute_set_instigator_ppid]`
`event.od_attribute_set.instigator.cdhash`	`additional.fields[od_attribute_set_instigator_cdhash]`
`event.od_attribute_set.instigator.is_platform_binary`	`additional.fields[od_attribute_set_instigator_is_platform_binary]`
`event.od_attribute_set.instigator.is_es_client`	`additional.fields[od_attribute_set_instigator_is_es_client]`
`event.od_attribute_set.instigator.group_id`	`additional.fields[od_attribute_set_instigator_group_id]`
`event.od_attribute_set.instigator.original_ppid`	`additional.fields[od_attribute_set_instigator_original_ppid]`
`event.od_attribute_set.instigator.session_id`	`additional.fields[od_attribute_set_instigator_session_id]`
`event.od_attribute_set.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_add.attribute_value`	`target.resource.name`
`event.od_attribute_set.record_name`	`target.user.user_display_name`
`event.od_attribute_set.instigator_token.euid`	`principal.user.userid`
`event.od_attribute_set.db_path`	`additional.fields[event_od_attribute_set_db_path]`
`event.od_attribute_set.node_name`	`additional.fields[event_od_attribute_set_node_name]`
`event.od_attribute_set.record_type`	`additional.fields[event_od_attribute_set_record_type]`
`event.od_attribute_set.error_code`	`additional.fields[event_od_attribute_set_error_code]`

`event_type: od_attribute_value_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_value_add`.
	`metadata.description`	`Attribute set on user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.od_attribute_value_add.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_value_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_value_add.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_value_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_value_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_value_add.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_value_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_value_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_value_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_value_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_value_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_value_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_value_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_value_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_value_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_value_add.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_value_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_value_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_value_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_value_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_value_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_value_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_value_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_value_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_value_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_value_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_value_add.instigator.signing_id`	`additional.fields[od_attribute_value_add_instigator_signing_id]`
`event.od_attribute_value_add.instigator.team_id`	`additional.fields[od_attribute_value_add_instigator_team_id]`
`event.od_attribute_value_add.instigator.ppid`	`additional.fields[od_attribute_value_add_instigator_ppid]`
`event.od_attribute_value_add.instigator.codesigning_flags`	`additional.fields[od_attribute_set_instigator_codesigning_flags]`
`event.od_attribute_value_add.instigator.cdhash`	`additional.fields[od_attribute_value_add_instigator_codesigning_flags]`
`event.od_attribute_value_add.instigator.is_platform_binary`	`additional.fields[od_attribute_set_instigator_is_platform_binary]`
`event.od_attribute_value_add.instigator.is_es_client`	`additional.fields[od_attribute_value_add_instigator_is_es_client]`
`event.od_attribute_value_add.instigator.group_id`	`additional.fields[od_attribute_value_add_instigator_group_id]`
`event.od_attribute_value_add.instigator.original_ppid`	`additional.fields[od_attribute_value_add_instigator_original_pp]`
`event.od_attribute_value_add.instigator.session_id`	`additional.fields[od_attribute_value_add_instigator_session_id]`
`event.od_attribute_value_add.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_add.attribute_value`	`target.resource.name`
`event.od_attribute_value_add.record_name`	`target.user.user_display_name`
`event.od_attribute_value_add.db_path`	`additional.fields[od_attribute_value_add_db_path]`
`event.od_attribute_value_add.node_name`	`additional.fields[od_attribute_value_add_node_name]`
`event.od_attribute_value_add.record_type`	`additional.fields[od_attribute_value_add_record_type]`
`event.od_attribute_value_add.error_code`	`additional.fields[od_attribute_value_add_error_code]`

`event_type: od_attribute_value_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_value_remove`.
	`metadata.description`	`Attribute removed from a user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_RESOURCE_DELETION`.
`event.od_attribute_value_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_value_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_value_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_value_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_value_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_value_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_value_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_value_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_value_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_value_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_value_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_value_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_value_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_value_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_value_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_value_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_value_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_value_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_value_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_value_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_value_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_value_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_value_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_value_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_value_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_value_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_value_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_value_remove.instigator.codesigning_flags`	`additional.fields[od_attribute_value_remove_instigator_codesigning_flags]`
`event.od_attribute_value_remove.instigator.cdhash`	`additional.fields[od_attribute_value_remove_instigator_codesigning_flags]`
`event.od_attribute_value_remove.instigator.is_platform_binary`	`additional.fields[od_attribute_value_remove_instigator_is_platform_binary]`
`event.od_attribute_value_remove.instigator.is_es_client`	`additional.fields[od_attribute_value_remove_instigator_is_es_client]`
`event.od_attribute_value_remove.instigator.group_id`	`additional.fields[od_attribute_value_remove_instigator_group_id]`
`event.od_attribute_value_remove.instigator.original_ppid`	`additional.fields[od_attribute_value_remove_instigator_original_pp]`
`event.od_attribute_value_remove.instigator.session_id`	`additional.fields[od_attribute_value_remove_instigator_session_id]`
`event.od_attribute_value_remove.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_remove.attribute_value`	`target.resource.name`
`event.od_attribute_value_remove.record_name`	`target.user.user_display_name`
`event.od_attribute_value_remove.db_path`	`additional.fields[od_attribute_value_remove_db_path]`
`event.od_attribute_value_remove.node_name`	`additional.fields[od_attribute_value_remove_node_name]`
`event.od_attribute_value_remove.record_type`	`additional.fields[od_attribute_value_remove_record_type]`
`event.od_attribute_value_remove.error_code`	`additional.fields[od_attribute_value_remove_error_code]`

`event_type: od_create_group`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_create_group`.
	`metadata.description`	`A group has been created using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_CREATION`.
`event.od_create_group.instigator.audit_token.euid`	`principal.process.euid`
`event.od_create_group.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_create_group.instigator.audit_token.egid`	`principal.process.egid`
`event.od_create_group.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_create_group.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_create_group.instigator.audit_token.pid`	`principal.process.pid`
`event.od_create_group.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_create_group.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_create_group.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_create_group.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_create_group.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_create_group.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_create_group.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_create_group.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_create_group.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_create_group.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_create_group.instigator.executable.path`	`principal.process.file.full_path`
`event.od_create_group.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_create_group.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_create_group.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_create_group.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_create_group.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_create_group.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_create_group.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_create_group.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_create_group.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_create_group.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_create_group.instigator.signing_id`	`additional.fields[od_create_group_instigator_signing_id]`
`event.od_create_group.instigator.team_id`	`additional.fields[od_create_group_instigator_team_id]`
`event.od_create_group.instigator.ppid`	`additional.fields[od_create_group_instigator_ppid]`
`event.od_create_group.instigator.codesigning_flags`	`additional.fields[od_create_group_instigator_codesigning_flags]`
`event.od_create_group.instigator.cdhash`	`additional.fields[od_create_group_instigator_cdhash]`
`event.od_create_group.instigator.is_platform_binary`	`additional.fields[od_create_group_instigator_is_platform_binary]`
`event.od_create_group.instigator.is_es_client`	`additional.fields[od_create_group_instigator_is_es_client]`
`event.od_create_group.instigator.group_id`	`additional.fields[od_create_group_instigator_group_id]`
`event.od_create_group.instigator.original_ppid`	`additional.fields[od_create_group_instigator_original_pp]`
`event.od_create_group.instigator.session_id`	`additional.fields[od_create_group_instigator_session_id]`
`event.od_create_group.group_name`	`target.group.group_display_name`
`event.od_create_group.instigator_token.euid`	`principal.user.userid`
`od_create_group.db_path`	`additional.fields[od_create_group_db_path]`
`event.od_create_group.node_name`	`additional.fields[od_create_group_node_name]`
`event.od_create_group.error_code`	`additional.fields[od_create_group_error_code]`

`event_type: od_delete_group`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_delete_group`.
	`metadata.description`	`A group has been deleted using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_DELETION`.
`event.od_delete_group.instigator.audit_token.euid`	`principal.process.euid`
`event.od_delete_group.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_delete_group.instigator.audit_token.egid`	`principal.process.egid`
`event.od_delete_group.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_delete_group.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_delete_group.instigator.audit_token.pid`	`principal.process.pid`
`event.od_delete_group.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_delete_group.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_delete_group.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_delete_group.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_delete_group.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_delete_group.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_delete_group.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_delete_group.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_delete_group.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_delete_group.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_delete_group.instigator.executable.path`	`principal.process.file.full_path`
`event.od_delete_group.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_delete_group.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_delete_group.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_delete_group.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_delete_group.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_delete_group.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_delete_group.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_delete_group.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_delete_group.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_delete_group.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_delete_group.instigator.signing_id`	`additional.fields[od_delete_group_instigator_signing_id]`
`event.od_delete_group.instigator.team_id`	`additional.fields[od_delete_group_instigator_team_id]`
`event.od_delete_group.instigator.ppid`	`additional.fields[od_delete_group_instigator_ppid]`
`event.od_delete_group.instigator.codesigning_flags`	`additional.fields[od_delete_group_instigator_codesigning_flags]`
`event.od_delete_group.instigator.cdhash`	`additional.fields[od_delete_group_instigator_cdhash]`
`event.od_delete_group.instigator.is_platform_binary`	`additional.fields[od_delete_group_instigator_is_platform_binary]`
`event.od_delete_group.instigator.is_es_client`	`additional.fields[od_delete_group_instigator_is_es_client]`
`event.od_delete_group.instigator.group_id`	`additional.fields[od_delete_group_instigator_group_id]`
`event.od_delete_group.instigator.original_ppid`	`additional.fields[od_delete_group_instigator_original_pp]`
`event.od_delete_group.instigator.session_id`	`additional.fields[od_delete_group_instigator_session_id]`
`event.od_delete_group.group_name`	`target.group.group_display_name`
`event.od_delete_group.instigator_token.euid`	`principal.user.userid`
`od_delete_group.db_path`	`additional.fields[od_delete_group_db_path]`
`event.od_delete_group.node_name`	`additional.fields[od_delete_group_node_name]`
`event.od_delete_group.error_code`	`additional.fields[od_delete_group_error_code]`

`event_type: od_create_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_create_user`.
	`metadata.description`	`A user has been created using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_CREATION`.
`event.od_create_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_create_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_create_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_create_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_create_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_create_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_create_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_create_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_create_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_create_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_create_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_create_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_create_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_create_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_create_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_create_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_create_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_create_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_create_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_create_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_create_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_create_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_create_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_create_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_create_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_create_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_create_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_create_user.instigator.signing_id`	`additional.fields[od_create_user_instigator_signing_id]`
`event.od_create_user.instigator.team_id`	`additional.fields[od_create_user_instigator_team_id]`
`event.od_create_user.instigator.ppid`	`additional.fields[od_create_user_instigator_ppid]`
`event.od_create_user.instigator.codesigning_flags`	`additional.fields[od_create_user_instigator_codesigning_flags]`
`event.od_create_user.instigator.cdhash`	`additional.fields[od_create_user_instigator_cdhash]`
`event.od_create_user.instigator.is_platform_binary`	`additional.fields[od_create_user_instigator_is_platform_binary]`
`event.od_create_user.instigator.is_es_client`	`additional.fields[od_create_user_instigator_is_es_client]`
`event.od_create_user.instigator.group_id`	`additional.fields[od_create_user_instigator_group_id]`
`event.od_create_user.instigator.original_ppid`	`additional.fields[od_create_user_instigator_original_pp]`
`event.od_create_user.instigator.session_id`	`additional.fields[od_create_user_instigator_session_id]`
`event.od_create_user.user_name`	`target.user.userid`
`event.od_create_user.instigator_token.euid`	`principal.user.userid`
`event.od_create_user.db_path`	`additional.fields[od_create_user_db_path]`
`event.od_create_user.node_name`	`additional.fields[od_create_user_node_name]`
`event.od_create_user.error_code`	`additional.fields[od_create_user_error_code]`

`event_type: od_delete_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_delete_user`.
	`metadata.description`	`A user has been deleted using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_DELETION`.
`event.od_delete_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_delete_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_delete_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_delete_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_delete_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_delete_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_delete_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_delete_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_delete_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_delete_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_delete_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_delete_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_delete_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_delete_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_delete_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_delete_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_delete_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_delete_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_delete_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_delete_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_delete_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_delete_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_delete_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_delete_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_delete_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_delete_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_delete_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_delete_user.instigator.signing_id`	`additional.fields[od_delete_user_instigator_signing_id]`
`event.od_delete_user.instigator.team_id`	`additional.fields[od_delete_user_instigator_team_id]`
`event.od_delete_user.instigator.ppid`	`additional.fields[od_delete_user_instigator_ppid]`
`event.od_delete_user.instigator.codesigning_flags`	`additional.fields[od_delete_user_instigator_codesigning_flags]`
`event.od_delete_user.instigator.cdhash`	`additional.fields[od_delete_user_instigator_cdhash]`
`event.od_delete_user.instigator.is_platform_binary`	`additional.fields[od_delete_user_instigator_is_platform_binary]`
`event.od_delete_user.instigator.is_es_client`	`additional.fields[od_delete_user_instigator_is_es_client]`
`event.od_delete_user.instigator.group_id`	`additional.fields[od_delete_user_instigator_group_id]`
`event.od_delete_user.instigator.original_ppid`	`additional.fields[od_delete_user_instigator_original_pp]`
`event.od_delete_user.instigator.session_id`	`additional.fields[od_delete_user_instigator_session_id]`
`event.od_delete_user.user_name`	`target.user.userid`
`event.od_delete_user.instigator_token.euid`	`principal.user.userid`
`event.od_delete_user.db_path`	`additional.fields[od_delete_user_db_path]`
`event.od_delete_user.node_name`	`additional.fields[od_delete_user_node_name]`
`event.od_delete_user.error_code`	`additional.fields[od_delete_user_error_code]`
`event.od_disable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`

`event_type: od_disable_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_disable_user`.
	`metadata.description`	`A user has been disabled using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`.
`event.od_disable_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_disable_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_disable_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_disable_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_disable_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_disable_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_disable_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_disable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_disable_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_disable_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_disable_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_disable_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_disable_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_disable_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_disable_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_disable_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_disable_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_disable_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_disable_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_disable_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_disable_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_disable_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_disable_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_disable_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_disable_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_disable_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_disable_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_disable_user.instigator.codesigning_flags`	`additional.fields[od_disable_user_instigator_codesigning_flags]`
`event.od_disable_user.instigator.cdhash`	`additional.fields[od_disable_user_instigator_codesigning_flags]`
`event.od_disable_user.instigator.is_platform_binary`	`additional.fields[od_disable_user_instigator_is_platform_binary]`
`event.od_disable_user.instigator.is_es_client`	`additional.fields[od_disable_user_instigator_is_es_client]`
`event.od_disable_user.instigator.group_id`	`additional.fields[od_disable_user_instigator_group_id]`
`event.od_disable_user.instigator.original_ppid`	`additional.fields[od_disable_user_instigator_original_pp]`
`event.od_disable_user.instigator.session_id`	`additional.fields[od_disable_user_instigator_session_id]`
`event.od_disable_user.user_name`	`target.user.user_display_name`
`event.od_disable_user.instigator_token.euid`	`principal.user.userid`
`event.od_disable_user.db_path`	`additional.fields[od_disable_user_db_path]`
`event.od_disable_user.node_name`	`additional.fields[od_disable_user_node_name]`
`event.od_disable_user.error_code`	`additional.fields[od_disable_user_error_code]`

`event_type: od_enable_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_enable_user`.
	`metadata.description`	`A user has been enabled using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`.
`event.od_enable_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_enable_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_enable_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_enable_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_enable_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_enable_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_enable_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_enable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_enable_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_enable_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_enable_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_enable_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_enable_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_enable_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_enable_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_enable_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_enable_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_enable_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_enable_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_enable_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_enable_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_enable_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_enable_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_enable_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_enable_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_enable_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_enable_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_enable_user.instigator.signing_id`	`additional.fields[od_enable_user_instigator_signing_id]`
`event.od_enable_user.instigator.team_id`	`additional.fields[od_enable_user_instigator_team_id]`
`event.od_enable_user.instigator.ppid`	`additional.fields[od_enable_user_instigator_ppid]`
`event.od_enable_user.instigator.codesigning_flags`	`additional.fields[od_enable_user_instigator_codesigning_flags]`
`event.od_enable_user.instigator.cdhash`	`additional.fields[od_enable_user_instigator_cdhash]`
`event.od_enable_user.instigator.is_platform_binary`	`additional.fields[od_enable_user_instigator_is_platform_binary]`
`event.od_enable_user.instigator.is_es_client`	`additional.fields[od_enable_user_instigator_is_es_client]`
`event.od_enable_user.instigator.group_id`	`additional.fields[od_enable_user_instigator_group_id]`
`event.od_enable_user.instigator.original_ppid`	`additional.fields[od_enable_user_instigator_original_pp]`
`event.od_enable_user.instigator.session_id`	`additional.fields[od_enable_user_instigator_session_id]`
`event.od_enable_user.user_name`	`target.user.user_display_name`
`event.od_enable_user.instigator_token.euid`	`principal.user.userid`
`event.od_enable_user.db_path`	`additional.fields[od_enable_user_db_path]`
`event.od_enable_user.node_name`	`additional.fields[od_enable_user_node_name]`
`event.od_enable_user.error_code`	`additional.fields[od_enable_user_error_code]`

`event_type: od_group_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_add`.
	`metadata.description`	`A member has been added to a group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_add.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_add.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_add.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_add.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_add.instigator.signing_id`	`additional.fields[od_group_add_instigator_signing_id]`
`event.od_group_add.instigator.team_id`	`additional.fields[od_group_add_instigator_team_id]`
`event.od_group_add.instigator.ppid`	`additional.fields[od_group_add_instigator_ppid]`
`event.od_group_add.instigator.codesigning_flags`	`additional.fields[od_group_add_instigator_codesigning_flags]`
`event.od_group_add.instigator.cdhash`	`additional.fields[od_group_add_instigator_cdhash]`
`event.od_group_add.instigator.is_platform_binary`	`additional.fields[od_group_add_instigator_is_platform_binary]`
`event.od_group_add.instigator.is_es_client`	`additional.fields[od_group_add_instigator_is_es_client]`
`event.od_group_add.instigator.group_id`	`additional.fields[od_group_add_instigator_group_id]`
`event.od_group_add.instigator.original_ppid`	`additional.fields[od_group_add_instigator_original_pp]`
`event.od_group_add.instigator.session_id`	`additional.fields[od_group_add_instigator_session_id]`
`event.od_group_add.group_name`	`target.group.group_display_name`
`event.od_group_add.member.member_value`	`target.user.user_display_name`
`event.od_group_add.instigator_token.euid`	`principal.user.userid`
`event.od_group_add.db_path`	`additional.fields[od_group_add_db_path]`
`event.od_group_add.node_name`	`additional.fields[od_group_add_node_name]`
`event.od_group_add.error_code`	`additional.fields[od_group_add_error_code]`

`event_type: od_group_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_remove`.
	`metadata.description`	`A member has been removed from a group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_remove.instigator.signing_id`	`additional.fields[od_group_remove_instigator_signing_id]`
`event.od_group_remove.instigator.team_id`	`additional.fields[od_group_remove_instigator_team_id]`
`event.od_group_remove.instigator.ppid`	`additional.fields[od_group_remove_instigator_ppid]`
`event.od_group_remove.instigator.codesigning_flags`	`additional.fields[od_group_remove_instigator_codesigning_flags]`
`event.od_group_remove.instigator.cdhash`	`additional.fields[od_group_remove_instigator_cdhash]`
`event.od_group_remove.instigator.is_platform_binary`	`additional.fields[od_group_remove_instigator_is_platform_binary]`
`event.od_group_remove.instigator.is_es_client`	`additional.fields[od_group_remove_instigator_is_es_client]`
`event.od_group_remove.instigator.group_id`	`additional.fields[od_group_remove_instigator_group_id]`
`event.od_group_remove.instigator.original_ppid`	`additional.fields[od_group_remove_instigator_original_pp]`
`event.od_group_remove.instigator.session_id`	`additional.fields[od_group_remove_instigator_session_id]`
`event.od_group_remove.group_name`	`target.group.group_display_name`
`event.od_group_remove.member.member_value`	`target.user.user_display_name`
`event.od_group_remove.instigator_token.euid`	`principal.user.userid`
`event.od_group_remove.db_path`	`additional.fields[od_group_remove_db_path]`
`event.od_group_remove.node_name`	`additional.fields[od_group_remove_node_name]`
`event.od_group_remove.error_code`	`additional.fields[od_group_remove_error_code]`

`event_type: od_group_set`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_set`.
	`metadata.description`	`A group has a member initialized or replaced using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_set.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_set.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_set.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_set.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_set.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_set.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_set.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_set.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_set.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_set.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_set.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_set.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_set.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_set.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_set.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_set.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_set.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_set.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_set.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_set.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_set.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_set.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_set.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_set.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_set.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_set.instigator.signing_id`	`additional.fields[od_group_set_instigator_signing_id]`
`event.od_group_set.instigator.team_id`	`additional.fields[od_group_set_instigator_team_id]`
`event.od_group_set.instigator.ppid`	`additional.fields[od_group_set_instigator_ppid]`
`event.od_group_set.instigator.codesigning_flags`	`additional.fields[od_group_set_instigator_codesigning_flags]`
`event.od_group_set.instigator.cdhash`	`additional.fields[od_group_set_instigator_cdhash]`
`event.od_group_set.instigator.is_platform_binary`	`additional.fields[od_group_set_instigator_is_platform_binary]`
`event.od_group_set.instigator.is_es_client`	`additional.fields[od_group_set_instigator_is_es_client]`
`event.od_group_set.instigator.group_id`	`additional.fields[od_group_set_instigator_group_id]`
`event.od_group_set.instigator.original_ppid`	`additional.fields[od_group_set_instigator_original_pp]`
`event.od_group_set.instigator.session_id`	`additional.fields[od_group_set_instigator_session_id]`
`event.od_group_set.group_name`	`target.group.group_display_name`
`event.od_group_set.member.member_array`	`target.user.user_display_name`
`event.od_group_set.instigator_token.euid`	`principal.user.userid`
`event.od_group_set.db_path`	`additional.fields[od_group_set_db_path]`
`event.od_group_set.node_name`	`additional.fields[od_group_set_node_name]`
`event.od_group_set.error_code`	`additional.fields[od_group_set_error_code]`

`event_type: od_modify_password`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_modify_password`.
	`metadata.description`	`A group has a member initialized or replaced using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_CHANGE_PASSWORD`.
`event.od_modify_password.instigator.audit_token.euid`	`principal.process.euid`
`event.od_modify_password.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_modify_password.instigator.audit_token.egid`	`principal.process.egid`
`event.od_modify_password.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_modify_password.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_modify_password.instigator.audit_token.pid`	`principal.process.pid`
`event.od_modify_password.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_modify_password.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_modify_password.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_modify_password.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_modify_password.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_modify_password.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_modify_password.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_modify_password.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_modify_password.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_modify_password.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_modify_password.instigator.executable.path`	`principal.process.file.full_path`
`event.od_modify_password.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_modify_password.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_modify_password.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_modify_password.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_modify_password.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_modify_password.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_modify_password.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_modify_password.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_modify_password.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_modify_password.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_modify_password.instigator.signing_id`	`additional.fields[od_modify_password_instigator_signing_id]`
`event.od_modify_password.instigator.team_id`	`additional.fields[od_modify_password_instigator_team_id]`
`event.od_modify_password.instigator.ppid`	`additional.fields[od_modify_password_instigator_ppid]`
`event.od_modify_password.instigator.codesigning_flags`	`additional.fields[od_modify_password_instigator_codesigning_flags]`
`event.od_modify_password.instigator.cdhash`	`additional.fields[od_modify_password_instigator_cdhash]`
`event.od_modify_password.instigator.is_platform_binary`	`additional.fields[od_modify_password_instigator_is_platform_binary]`
`event.od_modify_password.instigator.is_es_client`	`additional.fields[od_modify_password_instigator_is_es_client]`
`event.od_modify_password.instigator.group_id`	`additional.fields[od_modify_password_instigator_group_id]`
`event.od_modify_password.instigator.original_ppid`	`additional.fields[od_modify_password_instigator_original_pp]`
`event.od_modify_password.instigator.session_id`	`additional.fields[od_modify_password_instigator_session_id]`
`event.od_modify_password.account_name`	`target.user.user_display_name`
`event.od_modify_password.instigator_token.euid`	`principal.user.userid`
`event.od_modify_password.db_path`	`additional.fields[od_modify_password_db_path]`
`event.od_modify_password.node_name`	`additional.fields[od_modify_password_node_name]`
`event.od_modify_password.error_code`	`additional.fields[od_modify_password_error_code]`

`event_type: openssh_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_login`.
	`metadata.description`	`A user has logged into the system via OpenSSH.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SSH`.
`event.openssh_login.source_address`	`src.ip`
`event.openssh_login.uid`	`target.user.userid`
`openssh_login.username`	`target.user.user_display_name`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.
`event.openssh_login.success`	`security_result.category`	If the `event.openssh_login.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: openssh_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A user has logged out of an OpenSSH session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SSH`.
`event.openssh_logout.source_address`	`src.ip`
`event.openssh_logout.uid`	`target.user.userid`
`openssh_logout.username`	`target.user.user_display_name`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.

`event_type: profile_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A configuration profile is installed on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SETTING_CREATION`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `SETTING`.
`event.profile_add.instigator.audit_token.euid`	`principal.process.euid`
`event.profile_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.profile_add.instigator.audit_token.egid`	`principal.process.egid`
`event.profile_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.profile_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.profile_add.instigator.audit_token.pid`	`principal.process.pid`
`event.profile_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.profile_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.profile_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.profile_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.profile_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.profile_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.profile_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.profile_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.profile_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.profile_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.profile_add.instigator.executable.path`	`principal.process.file.full_path`
`event.profile_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.profile_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.profile_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.profile_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.profile_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.profile_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.profile_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.profile_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.profile_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.profile_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.profile_add.instigator.signing_id`	`additional.fields[profile_add_instigator_signing_id]`
`event.profile_add.instigator.team_id`	`additional.fields[profile_add_instigator_team_id]`
`event.profile_add.instigator.ppid`	`additional.fields[profile_add_instigator_ppid]`
`event.profile_add.instigator.codesigning_flags`	`additional.fields[profile_add_instigator_codesigning_flags]`
`event.profile_add.instigator.cdhash`	`additional.fields[profile_add_instigator_cdhash]`
`event.profile_add.instigator.is_platform_binary`	`additional.fields[profile_add_instigator_is_platform_binary]`
`event.profile_add.instigator.is_es_client`	`additional.fields[profile_add_instigator_is_es_client]`
`event.profile_add.instigator.group_id`	`additional.fields[profile_add_instigator_group_id]`
`event.profile_add.instigator.original_ppid`	`additional.fields[profile_add_instigator_original_pp]`
`event.profile_add.instigator.session_id`	`additional.fields[profile_add_instigator_session_id]`
`event.profile_add.profile.scope`	`target.resource.resource_subtype`
`event.profile_add.profile.uuid`	`target.resource.product_object_id`
`event.profile_add.profile.display_name`	`target.resource.name`
`event.profile_add.is_update`	`additional.fields[profile_add_is_update]`
`event.profile_add.profile.identifier`	`additional.fields[profile_add_profile_identifier]`
`event.profile_add.profile.install_source`	`additional.fields[profile_add_profile_install_source]`
`event.profile_add.profile.organization`	`additional.fields[profile_add_profile_organization]`

`event_type: profile_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A configuration profile is removed from the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SETTING_DELETION`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `SETTING`.
`event.profile_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.profile_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.profile_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.profile_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.profile_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.profile_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.profile_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.profile_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.profile_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.profile_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.profile_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.profile_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.profile_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.profile_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.profile_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.profile_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.profile_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.profile_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.profile_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.profile_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.profile_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.profile_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.profile_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.profile_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.profile_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.profile_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.profile_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.profile_remove.instigator.signing_id`	`additional.fields[profile_remove_instigator_signing_id]`
`event.profile_remove.instigator.team_id`	`additional.fields[profile_remove_instigator_team_id]`
`event.profile_remove.instigator.ppid`	`additional.fields[profile_remove_instigator_ppid]`
`event.profile_remove.instigator.codesigning_flags`	`additional.fields[profile_remove_instigator_codesigning_flags]`
`event.profile_remove.instigator.cdhash`	`additional.fields[profile_remove_instigator_cdhash]`
`event.profile_remove.instigator.is_platform_binary`	`additional.fields[profile_remove_instigator_is_platform_binary]`
`event.profile_remove.instigator.is_es_client`	`additional.fields[profile_remove_instigator_is_es_client]`
`event.profile_remove.instigator.group_id`	`additional.fields[profile_remove_instigator_group_id]`
`event.profile_remove.instigator.original_ppid`	`additional.fields[profile_remove_instigator_original_pp]`
`event.profile_remove.instigator.session_id`	`additional.fields[profile_remove_instigator_session_id]`
`event.profile_remove.profile.scope`	`target.resource.resource_subtype`
`event.profile_remove.profile.uuid`	`target.resource.product_object_id`
`event.profile_remove.profile.display_name`	`target.resource.name`
`event.profile_remove.is_update`	`additional.fields[profile_remove_is_update]`
`event.profile_remove.profile.identifier`	`additional.fields[profile_remove_profile_identifier]`
`event.profile_remove.profile.install_source`	`additional.fields[profile_remove_profile_install_source]`
`event.profile_remove.profile.organization`	`additional.fields[profile_remove_profile_organization]`

`event_type: sudo`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `sudo`.
	`metadata.description`	`A sudo attempt occurred.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.sudo.reject_info.plugin_name`	`additional.fields[sudo_reject_info_plugin_name]`
`event.sudo.reject_info.failure_message`	`additional.fields[sudo_reject_info_failure_message]`
`event.sudo.reject_info.plugin_type`	`additional.fields[sudo_reject_info_plugin_type]`
`event.sudo.from_uid`	`principal.user.userid`
`event.sudo.from_username`	`principal.user.user_display_name`
`event.sudo.command`	`target.process.command_line`
`event.sudo.to_uid`	`target.user.userid`
`event.sudo.to_username`	`target.user.user_display_name`
`event.sudo.success`	`security_result.category`	If the `event.sudo.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: system_performance`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `system_performance`.
	`metadata.description`	`Event occurs on a regular interval to collect application performance data.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.performance.metrics.hw_model`	`additional.fields[performance_metrics_hw_model]`
`event.performance.page_info.page`	`additional.fields[performance_page_info_page]`
`udm.performance.page_info.total`	`additional.fields[performance_page_info_total]`
`event.performance.metrics.tasks.name`	`additional.fields[task_name]`
`event.performance.metrics.tasks.energy_impact`	`additional.fields[task_energy_impact]`

`event_type: unmount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `unmount`.
	`metadata.description`	`A file system has been unmounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.unmount.statfs.f_owner`	`target.user.userid`
`event.unmount.device.size`	`target.file.size`
`event.unmount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.unmount.statfs.f_mntfromname`	`target.resource.name`
`event.unmount.device.protocol`	`additional.fields[unmount_device_protocol]`
`event.unmount.device.serial_number`	`target.asset.hardware.serial_number`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.serial_number` log field is mapped to the `target.asset.hardware.serial_number` UDM field.
`event.unmount.device.device_model`	`target.asset.hardware.model`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.device_model` log field is mapped to the `target.asset.hardware.model` UDM field.
`event.unmount.device.vendor_name`	`target.asset.hardware.manudacturer`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.vendor_name` log field is mapped to the `target.asset.hardware.manufacturer` UDM field.

還有其他問題嗎？向社群成員和 Google SecOps 專家尋求解答。

收集 Jamf Protect 遙測資料 V2 記錄

事前準備

在 Google SecOps 中設定動態饋給，以便擷取 Jamf Protect Telemetry 第 2 版記錄

使用 Amazon S3 在 Google SecOps 中設定擷取動態饋給

使用 webhook 在 Google SecOps 中設定擷取動態饋給

為 webhook 動態饋給建立 API 金鑰

為 Webhook 動態饋給設定 Jamf Protect Telemetry V2

欄位對應參考資料

欄位對應參考資料：事件 ID 與事件類型

欄位對應參考資料：JAMF_TELEMETRY_V2 - 常用欄位

欄位對應參考資料：將原始記錄欄位對應至 event_type 的 UDM 欄位。

event_type: remount

event_type: screensharing_attach

event_type: su

event_type: settime

event_type: screensharing_detach

event_type: xp_malware_remediated

event_type: xp_malware_detected

event_type: authentication

event_type: btm_launch_item_add

event_type: btm_launch_item_remove

event_type: chroot

event_type: exec

event_type: file_collection

event_type: kextload

event_type: kextunload

event_type: log_collection

event_type: login_login

event_type: login_logout

event_type: lw_session_login

event_type: bios_uefi

event_type: cs_invalidated

event_type: gatekeeper_user_override

event_type: lw_session_unlock

event_type: lw_session_lock

event_type: lw_session_logout

event_type: mount

event_type: od_attribute_set

event_type: od_attribute_value_add

event_type: od_attribute_value_remove

event_type: od_create_group

event_type: od_delete_group

event_type: od_create_user

event_type: od_delete_user

event_type: od_disable_user

event_type: od_enable_user

event_type: od_group_add

event_type: od_group_remove

event_type: od_group_set

event_type: od_modify_password

event_type: openssh_login

event_type: openssh_logout

event_type: profile_add

event_type: profile_remove

event_type: sudo

event_type: system_performance

event_type: unmount