Collect osquery logs
This document describes how you can collect osquery logs by configuring osquery and a Google Security Operations forwarder. This document also lists the supported log types and supported osquery versions.
For more information, see Data ingestion to Google Security Operations.
Overview
The following deployment architecture diagram shows how osquery agents and Fleet server are configured to send logs to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.
The architecture diagram shows the following components:
Linux system: The Linux system to be monitored in which the osquery agent is installed
Microsoft Windows system: The Microsoft Windows system to be monitored in which the osquery agent is installed
Mac system: The Mac system to be monitored in which the osquery agent is installed
osquery agent: Collects information from the Microsoft Windows, Linux, or Mac system and forwards the information to the Fleet server
Fleet server: Monitors and receives information from the osquery agents, analyzes the logs, and forwards the logs to the Google Security Operations forwarder
Google Security Operations forwarder: A lightweight software component, deployed in the customer's network to forward the logs to Google Security Operations
Google Security Operations: Retains and analyzes the logs from the Fleet server
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with OSQUERY_EDR ingestion label.
Before you begin
Install Fleet server. To install Fleet server, do the following:
Use an osquery version that the Google Security Operations parser supports, that is, 5.2.3 and 5.3.0.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Ensure that the table names in Fleet are as per the official Fleet documentation.
Configure osquery agent, server, and Google Security Operations forwarder
To configure the Fleet server and Google Security Operations forwarder, do the following:
To configure the Fleet server, do the following:
Add hosts to Fleet server and install osquery agent. You can add your host to Fleet server with an osquery installer. Fleet server helps generate an osquery installer with the fleetctl package command.
- Execute the fleetctl package command by installing the fleetctl command-line tool.
- Install osquery agent by using the fleetctl package command.
When you install the generated osquery installer on a host, the host automatically enrolls in the specified Fleet instance.
Fetch the logs from osquery agent. To create a query in Fleet for fetching the logs, see Create a query and to schedule a query, see Schedule a query.
Configure Google Security Operations forwarder on a central Linux device to push the logs into the Google Security Operations system. For more information, visit Installing and configuring the forwarder on Linux. The following is an example of a Google SecOps forwarder configuration:
- file: common: enabled: true data_type: OSQUERY_EDR batch_n_seconds: 10 batch_n_bytes: 1048576 skip_seek_to_end: true file_path: <log_file_path>
Field mapping reference
This section explains how the Google Security Operations parser maps osquery log fields to Google Security Operations Unified Data Model (UDM) fields for the schema and operating system. For more information, see osquery schema for version 5.2.3 and version 5.3.0.
account_policy_data
The following table lists the log fields and corresponding UDM mappings for the schema account_policy_data and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| uid | principal.user.userid |
| creation_time | principal.user.attribute.creation_time |
| failed_login_count | principal.user.attribute.labels.key/value |
| failed_login_timestamp | principal.user.attribute.labels.key/value |
| password_last_set_time | principal.user.attribute.labels.key/value |
ad_config
The following table lists the log fields and corresponding UDM mappings for the schema ad_config and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | about.labels.key/value |
| domain | target.administrative_domain |
| option | about.labels.key |
| value | about.labels.value |
alf
The following table lists the log fields and corresponding UDM mappings for the schema alf and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| allow_signed_enabled | about.labels.key/value |
| firewall_unload | about.labels.key/value |
| global_state | about.labels.key/value |
| logging_enabled | about.labels.key/value |
| logging_option | about.labels.key/value |
| stealth_enabled | about.labels.key/value |
| version | target.platform_version |
alf_exceptions
The following table lists the log fields and corresponding UDM mappings for the schema alf_exceptions and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| state | about.labels.key/value |
alf_explicit_auths
The following table lists the log fields and corresponding UDM mappings for the schema alf_explicit_auths and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| process | target.process.pid |
app_schemes
The following table lists the log fields and corresponding UDM mappings for the schema app_schemes and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| scheme | about.labels.key/value |
| handler | about.labels.key/value |
| enabled | about.labels.key/value |
| external | about.labels.key/value |
| protected | about.labels.key/value |
apparmor_events
The following table lists the log fields and corresponding UDM mappings for the schema apparmor_events and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| type | about.labels.key/value |
| message | metadata.description |
| time | about.labels.key/value |
| uptime | about.labels.key/value |
| eid | security_result.rule_id |
| apparmor | security_result.action |
| operation | about.labels.key/value |
| parent | target.process.parent_process.pid |
| profile | about.labels.key/value |
| name | about.labels.key/value |
| pid | target.process.pid |
| comm | target.process.command_line |
| denied_mask | about.labels.key/value |
| capname | about.labels.key/value |
| fsuid | target.user.attribute.labels.key/value |
| ouid | target.user.attribute.labels.key/value |
| capability | about.labels.key/value |
| requested_mask | target.process.access_mask |
| info | about.labels.key/value |
| error | security_result.summary |
| namespace | about.labels.key/value |
| label | about.labels.key/value |
apparmor_profiles
The following table lists the log fields and corresponding UDM mappings for the schema apparmor_profiles and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| name | target.resource.name |
| attach | about.labels.key/value |
| mode | about.labels.key/value |
| sha1 | target.file.sha1 |
apps
The following table lists the log fields and corresponding UDM mappings for the schema apps and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | target.application |
| path | target.file.full_path |
| bundle_executable | about.labels.key/value |
| bundle_identifier | target.resource.product_object_id |
| bundle_name | target.resource.name |
| bundle_short_version | target.resource.attribute.labels.key/value |
| bundle_version | target.resource.attribute.labels.key/value |
| bundle_package_type | about.labels.key/value |
| environment | about.labels.key/value |
| element | about.labels.key/value |
| compiler | about.labels.key/value |
| development_region | about.location.country_or_region |
| display_name | about.labels.key/value |
| info_string | about.labels.key/value |
| minimum_system_version | about.labels.key/value |
| category | about.labels.key/value |
| applescript_enabled | about.labels.key/value |
| copyright | about.labels.key/value |
| last_opened_time | target.file.last_seen_time |
asl
The following table lists the log fields and corresponding UDM mappings for the schema asl and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| time | about.labels.key/value |
| time_nano_sec | about.labels.key/value |
| host | target.hostname |
| sender | about.labels.key/value |
| facility | about.labels.key/value |
| pid | target.process.pid |
| gid | target.user.group_identifiers |
| uid | target.user.userid |
| level | about.labels.key/value |
| message | metadata.description |
| ref_pid | about.labels.key/value |
| ref_proc | about.labels.key/value |
| extra | about.labels.key/value |
authenticode
The following table lists the log fields and corresponding UDM mappings for the schema authenticode and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| original_program_name | about.labels.key/value |
| serial_number | network.tls.client.certificate.serial |
| issuer_name | network.tls.client.certificate.issuer |
| subject_name | network.tls.client.certificate.subject |
| result | security_result.summary |
authorization_mechanisms
The following table lists the log fields and corresponding UDM mappings for the schema authorization_mechanisms and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| label | about.labels.key/value |
| plugin | about.labels.key/value |
| mechanism | about.labels.key/value |
| privileged | about.labels.key/value |
| entry | about.labels.key/value |
authorizations
The following table lists the log fields and corresponding UDM mappings for the schema authorizations and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| label | about.labels.key/value |
| modified | about.labels.key/value |
| allow_root | about.labels.key/value |
| timeout | about.labels.key/value |
| version | about.labels.key/value |
| tries | about.labels.key/value |
| authenticate_user | about.labels.key/value |
| shared | about.labels.key/value |
| comment | about.labels.key/value |
| created | about.labels.key/value |
| class | about.labels.key/value |
| session_owner | about.labels.key/value |
autoexec
The following table lists the log fields and corresponding UDM mappings for the schema autoexec and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| name | target.application |
| source | target.resource.name |
bitlocker_info
The following table lists the log fields and corresponding UDM mappings for the schema bitlocker_info and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| device_id | target.resource.product_object_id |
| drive_letter | target.resource.name |
| persistent_volume_id | about.labels.key/value |
| conversion_status | target.resource.attirbute.labels.key/value |
| protection_status | target.resource.attirbute.labels.key/value |
| encryption_method | target.resource.attirbute.labels.key/value |
| version | metadata.product_version |
| percentage_encrypted | target.resource.attirbute.labels.key/value |
| lock_status | target.resource.attirbute.labels.key/value |
bpf_process_events
The following table lists the log fields and corresponding UDM mappings for the schema bpf_process_events and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| tid | about.labels.key/value |
| pid | target.process.pid |
| parent | target.process.parent_process.pid |
| uid | principal.user.userid |
| gid | principal.group.product_object_id |
| cid | about.labels.key/value |
| exit_code | about.labels.key/value |
| probe_error | about.labels.key/value |
| syscall | about.labels.key/value |
| path | target.process.file.full_path |
| cwd | about.labels.key/value |
| cmdline | target.process.command_line |
| duration | about.labels.key/value |
| json_cmdline | about.labels.key/value |
| ntime | about.labels.key/value |
| time | about.labels.key/value |
| eid | metadata.product_log_id |
bpf_socket_events
The following table lists the log fields and corresponding UDM mappings for the schema bpf_socket_events and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| tid | about.labels.key/value |
| pid | principal.process.pid |
| parent | principal.process.parent_process.pid |
| uid | principal.user.userid |
| gid | principal.group.product_object_id |
| cid | about.labels.key/value |
| exit_code | about.labels.key/value |
| probe_error | about.labels.key/value |
| syscall | about.labels.key/value |
| path | target.file.full_path |
| fd | about.labels.key/value |
| family | about.labels.key/value |
| type | about.labels.key/value |
| protocol | about.labels.key/value |
| local_address | principal.ip |
| remote_address | target.ip |
| local_port | principal.port |
| remote_port | target.port |
| duration | about.labels.key/value |
| ntime | about.labels.key/value |
| time | about.labels.key/value |
| eid | metadata.product_log_id |
certificates
The following table lists the log fields and corresponding UDM mappings for the schema certificates and OS macOS, Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| common_name | about.labels.key/value |
| subject | network.tls.client.certificate.subject |
| issuer | network.tls.client.certificate.issuer |
| ca | about.labels.key/value |
| self_signed | about.labels.key/value |
| not_valid_before | network.tls.client.certificate.not_before |
| not_valid_after | network.tls.client.certificate.not_after |
| signing_algorithm | about.labels.key/value |
| key_algorithm | about.labels.key/value |
| key_strength | about.labels.key/value |
| key_usage | about.labels.key/value |
| subject_key_id | about.labels.key/value |
| authority_key_id | about.labels.key/value |
| sha1 | network.tls.client.certificate.sha1 |
| path | about.labels.key/value |
| serial | network.tls.client.certificate.serial |
| sid | about.labels.key/value |
| store_location | about.labels.key/value |
| store | about.labels.key/value |
| username | principal.user.user_display_name |
| store_id | about.labels.key/value |
chassis_info
The following table lists the log fields and corresponding UDM mappings for the schema chassis_info and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| audible_alarm | about.labels.key/value |
| breach_description | security_result.description |
| chassis_types | about.labels.key/value |
| description | metadata.description |
| lock | about.labels.key/value |
| manufacturer | principal.asset.hardware.manufacturer |
| model | principal.asset.hardware.model |
| security_breach | security_result.detection_fields.key/value |
| serial | principal.asset.hardware.serial_number |
| smbios_tag | about.labels.key/value |
| sku | about.labels.key/value |
| status | about.labels.key/value |
| visible_alarm | about.labels.key/value |
chrome_extensions
The following table lists the log fields and corresponding UDM mappings for the schema chrome_extensions and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| browser_type | target.resource.attribute.labels.key/value |
| uid | principal.user.userid |
| name | target.resource.name |
| profile | target.resource.attribute.labels.key/value |
| profile_path | target.resource.attribute.labels.key/value |
| referenced_identifier | target.resource.attribute.labels.key/value |
| identifier | target.resource.attribute.labels.key/value |
| version | target.resource.attribute.labels.key/value |
| description | target.resource.attribute.labels.key/value |
| default_locale | target.resource.attribute.labels.key/value |
| current_locale | target.resource.attribute.labels.key/value |
| update_url | network.http.referral_url |
| author | target.resource.attribute.labels.key/value |
| persistent | target.resource.attribute.labels.key/value |
| path | target.file.full_path |
| permissions | target.resource.attribute.labels.key/value |
| permissions_json | target.resource.attribute.labels.key/value |
| optional_permissions | target.resource.attribute.labels.key/value |
| optional_permissions_json | target.resource.attribute.labels.key/value |
| manifest_hash | target.resource.attribute.labels.key/value |
| referenced | target.resource.attribute.labels.key/value |
| from_webstore | target.resource.attribute.labels.key/value |
| state | target.resource.attribute.labels.key/value |
| install_time | target.resource.attribute.labels.key/value |
| install_timestamp | target.resource.attribute.labels.key/value |
| manifest_json | target.resource.attribute.labels.key/value |
| key | target.resource.attribute.labels.key/value |
connectivity
The following table lists the log fields and corresponding UDM mappings for the schema connectivity and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| disconnected | about.labels.key/value |
| ipv4_no_traffic | about.labels.key/value |
| ipv6_no_traffic | about.labels.key/value |
| ipv4_subnet | about.labels.key/value |
| ipv4_local_network | about.labels.key/value |
| ipv4_internet | about.labels.key/value |
| ipv6_subnet | about.labels.key/value |
| ipv6_local_network | about.labels.key/value |
| ipv6_internet | about.labels.key/value |
cpu_info
The following table lists the log fields and corresponding UDM mappings for the schema cpu_info and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| device_id | principal.asset.product_object_id |
| model | principal.asset.hardware.model |
| manufacturer | principal.asset.hardware.manufacturer |
| processor_type | about.labels.key/value |
| availability | about.labels.key/value |
| cpu_status | about.labels.key/value |
| number_of_cores | principal.asset.hardware.cpu_number_cores |
| logical_processors | about.labels.key/value |
| address_width | about.labels.key/value |
| current_clock_speed | principal.asset.hardware.cpu_clock_speed |
| max_clock_speed | principal.asset.hardware.cpu_max_clock_speed |
| socket_designation | about.labels.key/value |
crashes
The following table lists the log fields and corresponding UDM mappings for the schema crashes and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| type | about.labels.key/value |
| pid | target.process.pid |
| path | target.process.file.full_path |
| crash_path | target.file.full_path |
| identifier | about.labels.key/value |
| version | about.labels.key/value |
| parent | target.process.parent_process.pid |
| responsible | about.labels.key/value |
| uid | target.user.userid |
| datetime | metadata.event_timestamp |
| crashed_thread | about.labels.key/value |
| stack_trace | about.labels.key/value |
| exception_type | about.labels.key/value |
| exception_codes | about.labels.key/value |
| exception_notes | about.labels.key/value |
| registers | about.labels.key/value |
crontab
The following table lists the log fields and corresponding UDM mappings for the schema crontab and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| event | about.labels.key/value |
| minute | about.labels.key/value |
| hour | about.labels.key/value |
| day_of_month | about.labels.key/value |
| month | about.labels.key/value |
| day_of_week | about.labels.key/value |
| command | principal.process.command_line |
| path | principal.process.file.full_path |
| pid_with_namespace | about.labels.key/value |
curl
The following table lists the log fields and corresponding UDM mappings for the schema curl and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| url | network.http.referral_url |
| method | network.http.method |
| user_agent | network.http.user_agent |
| response_code | network.http.response_code |
| round_trip_time | network.session_duration |
| bytes | network.received_bytes |
| result | about.labels.key/value |
curl_certificate
The following table lists the log fields and corresponding UDM mappings for the schema curl_certificate and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| hostname | principal.hostname |
| common_name | about.labels.key/value |
| organization | network.organization_name |
| organization_unit | about.labels.key/value |
| serial_number | network.tls.server.certificate.serial |
| issuer_common_name | about.labels.key/value |
| issuer_organization | network.tls.server.certificate.issuer |
| issuer_organization_unit | about.labels.key/value |
| valid_from | network.tls.server.certificate.not_before |
| valid_to | network.tls.server.certificate.not_after |
| sha256_fingerprint | network.tls.server.certificate.sha256 |
| sha1_fingerprint | network.tls.server.certificate.sha1 |
| version | network.tls.server.certificate.version |
| signature_algorithm | about.labels.key/value |
| signature | about.labels.key/value |
| subject_key_identifier | about.labels.key/value |
| authority_key_identifier | about.labels.key/value |
| key_usage | about.labels.key/value |
| extended_key_usage | about.labels.key/value |
| policies | about.labels.key/value |
| subject_alternative_names | about.labels.key/value |
| issuer_alternative_names | about.labels.key/value |
| info_access | about.labels.key/value |
| subject_info_access | about.labels.key/value |
| policy_mappings | about.labels.key/value |
| has_expired | about.labels.key/value |
| basic_constraint | about.labels.key/value |
| name_constraints | about.labels.key/value |
| policy_constraints | about.labels.key/value |
| dump_certificate | about.labels.key/value |
| timeout | about.labels.key/value |
| pem | about.labels.key/value |
device_file
The following table lists the log fields and corresponding UDM mappings for the schema device_file and OS Linux, macOS, freebsd, Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| device | about.labels.key/value |
| partition | about.labels.key/value |
| path | target.file.full_path |
| filename | target.file.names |
| inode | about.labels.key/value |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| mode | about.labels.key/value |
| size | target.file.size |
| block_size | about.labels.key/value |
| atime | about.labels.key/value |
| mtime | target.file.last_modification_time |
| ctime | about.labels.key/value |
| hard_links | about.labels.key/value |
| type | about.labels.key/value |
device_hash
The following table lists the log fields and corresponding UDM mappings for the schema device_hash and OS Linux, macOS, freebsd, Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| device | target.file.full_path |
| partition | about.labels.key/value |
| inode | about.labels.key/value |
| md5 | target.file.md5 |
| sha1 | target.file.sha1 |
| sha256 | target.file.sha56 |
disk_info
The following table lists the log fields and corresponding UDM mappings for the schema disk_info and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| partitions | principal.asset.attribute.labels.key/value |
| disk_index | principal.asset.attribute.labels.key/value |
| type | principal.asset.attribute.labels.key/value |
| id | principal.asset.product_object_id |
| pnp_device_id | about.labels.key/value |
| disk_size | principal.asset.attribute.labels.key/value |
| manufacturer | principal.asset.hardware.manufacturer |
| hardware_model | principal.asset.hardware.model |
| name | principal.asset.attribute.labels.key/value |
| serial | principal.asset.hardware.serial_number |
| description | principal.asset.attribute.labels.key/value |
dns_cache
The following table lists the log fields and corresponding UDM mappings for the schema dns_cache and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | network.dns.additional.name |
| type | about.labels.key/value |
| flags | about.labels.key/value |
dns_resolvers
The following table lists the log fields and corresponding UDM mappings for the schema dns_resolvers and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| id | about.labels.key/value |
| type | about.labels.key/value |
| address | principal.ip |
| netmask | about.labels.key/value |
| options | about.labels.key/value |
| pid_with_namespace | about.labels.key/value |
docker_container_networks
The following table lists the log fields and corresponding UDM mappings for the schema docker_container_networks and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| id | target.asset.product_object_id |
| name | network.carrier_name |
| network_id | about.labels.key/value |
| endpoint_id | about.labels.key/value |
| gateway | about.labels.key/value |
| ip_address | target.ip |
| ip_prefix_len | about.labels.key/value |
| ipv6_gateway | about.labels.key/value |
| ipv6_address | target.ip |
| ipv6_prefix_len | about.labels.key/value |
| mac_address | target.mac |
docker_container_ports
The following table lists the log fields and corresponding UDM mappings for the schema docker_container_ports and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| id | target.asset.product_object_id |
| type | network.ip_protocol |
| port | target.port |
| host_ip | principal.ip |
| host_port | principal.port |
docker_container_processes
The following table lists the log fields and corresponding UDM mappings for the schema docker_container_processes and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| id | target.asset.product_object_id |
| pid | target.process.pid |
| name | target.process.file.full_path |
| cmdline | target.process.command_line |
| state | about.labels.key/value |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| euid | target.user.attribute.labels.key/value |
| egid | target.group.attribute.labels.key/value |
| suid | target.user.attribute.labels.key/value |
| sgid | target.group.attribute.labels.key/value |
| wired_size | about.labels.key/value |
| resident_size | about.labels.key/value |
| total_size | about.labels.key/value |
| start_time | about.labels.key/value |
| parent | target.process.parent_process.pid |
| pgroup | about.labels.key/value |
| threads | about.labels.key/value |
| nice | about.labels.key/value |
| user | target.user.user_display_name |
| time | about.labels.key/value |
| cpu | about.labels.key/value |
| mem | about.labels.key/value |
docker_container_stats
The following table lists the log fields and corresponding UDM mappings for the schema docker_container_stats and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| id | target.resource.product_object_id |
| name | target.resource.name |
| pids | about.labels.key/value |
| read | about.labels.key/value |
| preread | about.labels.key/value |
| interval | about.labels.key/value |
| disk_read | about.labels.key/value |
| disk_write | about.labels.key/value |
| num_procs | about.labels.key/value |
| cpu_total_usage | about.labels.key/value |
| cpu_kernelmode_usage | about.labels.key/value |
| cpu_usermode_usage | about.labels.key/value |
| system_cpu_usage | about.labels.key/value |
| online_cpus | about.labels.key/value |
| pre_cpu_total_usage | about.labels.key/value |
| pre_cpu_kernelmode_usage | about.labels.key/value |
| pre_cpu_usermode_usage | about.labels.key/value |
| pre_system_cpu_usage | about.labels.key/value |
| pre_online_cpus | about.labels.key/value |
| memory_usage | about.labels.key/value |
| memory_max_usage | about.labels.key/value |
| memory_limit | about.labels.key/value |
| network_rx_bytes | about.labels.key/value |
| network_tx_bytes | about.labels.key/value |
docker_info
The following table lists the log fields and corresponding UDM mappings for the schema docker_info and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| id | target.resource.product_object_id |
| containers | about.labels.key/value |
| containers_running | about.labels.key/value |
| containers_paused | about.labels.key/value |
| containers_stopped | about.labels.key/value |
| images | about.labels.key/value |
| storage_driver | about.labels.key/value |
| memory_limit | about.labels.key/value |
| swap_limit | about.labels.key/value |
| kernel_memory | about.labels.key/value |
| cpu_cfs_period | about.labels.key/value |
| cpu_cfs_quota | about.labels.key/value |
| cpu_shares | about.labels.key/value |
| cpu_set | about.labels.key/value |
| ipv4_forwarding | about.labels.key/value |
| bridge_nf_iptables | about.labels.key/value |
| bridge_nf_ip6tables | about.labels.key/value |
| oom_kill_disable | about.labels.key/value |
| logging_driver | about.labels.key/value |
| cgroup_driver | about.labels.key/value |
| kernel_version | about.labels.key/value |
| os | about.labels.key/value |
| os_type | target.platform(enum) |
| architecture | about.labels.key/value |
| cpus | about.labels.key/value |
| memory | about.labels.key/value |
| http_proxy | about.labels.key/value |
| https_proxy | about.labels.key/value |
| no_proxy | about.labels.key/value |
| name | target.hostname |
| server_version | target.platform_version |
| root_dir | target.file.full_path |
docker_network_labels
The following table lists the log fields and corresponding UDM mappings for the schema docker_network_labels and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| id | target.resource.product_object_id |
| key | target.resource.attribute.labels.key/value |
| value | about.labels.key/value |
docker_networks
The following table lists the log fields and corresponding UDM mappings for the schema docker_networks and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| id | target.resource.product_object_id |
| name | about.labels.key/value |
| driver | about.labels.key/value |
| created | target.resource.attribute.creation_time |
| enable_ipv6 | about.labels.key/value |
| subnet | about.labels.key/value |
| gateway | about.labels.key/value |
ec2_instance_metadata
The following table lists the log fields and corresponding UDM mappings for the schema ec2_instance_metadata and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| instance_id | target.resource.product_object_id |
| instance_type | about.labels.key/value |
| architecture | about.labels.key/value |
| region | target.location.country_or_region |
| availability_zone | about.labels.key/value |
| local_hostname | target.hostname |
| local_ipv4 | target.ip |
| mac | target.mac |
| security_groups | about.labels.key/value |
| iam_arn | about.labels.key/value |
| ami_id | about.labels.key/value |
| reservation_id | about.labels.key/value |
| account_id | target.user.userid |
| ssh_public_key | about.labels.key/value |
es_process_events
The following table lists the log fields and corresponding UDM mappings for the schema es_process_events and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| version | target.platform_version |
| seq_num | about.labels.key/value |
| global_seq_num | about.labels.key/value |
| pid | target.process.pid |
| path | target.process.file.full_path |
| parent | target.process.parent_process.pid |
| original_parent | about.labels.key/value |
| cmdline | target.process.command_line |
| cmdline_count | about.labels.key/value |
| env | about.labels.key/value |
| env_count | about.labels.key/value |
| cwd | about.labels.key/value |
| uid | target.user.userid |
| euid | about.labels.key/value |
| gid | target.group.product_object_id |
| egid | about.labels.key/value |
| username | target.user.user_display_name |
| signing_id | about.labels.key/value |
| team_id | about.labels.key/value |
| cdhash | about.labels.key/value |
| platform_binary | about.labels.key/value |
| exit_code | about.labels.key/value |
| child_pid | about.labels.key/value |
| time | about.labels.key/value |
| event_type | about.labels.key/value |
| eid | metadata.product_log_id |
etc_hosts
The following table lists the log fields and corresponding UDM mappings for the schema etc_hosts and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| address | target.ip |
| hostnames | about.hostname |
| pid_with_namespace | about.labels.key/value |
etc_protocols
The following table lists the log fields and corresponding UDM mappings for the schema etc_protocols and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | network.ip_protocol |
| number | about.labels.key/value |
| alias | about.labels.key/value |
| comment | about.labels.key/value |
etc_services
The following table lists the log fields and corresponding UDM mappings for the schema etc_services and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | target.resource.name |
| port | target.port |
| protocol | network.ip_protocol |
| aliases | about.labels.key/value |
| comment | about.labels.key/value |
file
The following table lists the log fields and corresponding UDM mappings for the schema file and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| directory | about.labels.key/value |
| filename | target.file.names |
| inode | about.labels.key/value |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| mode | about.labels.key/value |
| device | target.asset.asset_id |
| size | target.file.size |
| block_size | about.labels.key/value |
| atime | target.file.last_seen_time |
| mtime | target.file.last_modification_time |
| ctime | about.labels.key/value |
| btime | about.labels.key/value |
| hard_links | about.labels.key/value |
| symlink | about.labels.key/value |
| type | about.labels.key/value |
| attributes | about.labels.key/value |
| volume_serial | about.labels.key/value |
| file_id | about.labels.key/value |
| file_version | about.labels.key/value |
| product_version | about.labels.key/value |
| bsd_flags | about.labels.key/value |
| pid_with_namespace | about.labels.key/value |
| mount_namespace_id | about.labels.key/value |
file_events
The following table lists the log fields and corresponding UDM mappings for the schema file_events and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| operation | about.labels.key/value |
| pid | principal.process.pid |
| ppid | principal.process.parent_process.pid |
| time | about.labels.key/value |
| executable | about.labels.key/value |
| partial | about.labels.key/value |
| cwd | about.labels.key/value |
| path | src.file.full_path |
| dest_path | target.file.full_path |
| uid | principal.user.userid |
| gid | principal.group.product_object_id |
| auid | about.labels.key/value |
| euid | about.labels.key/value |
| egid | about.labels.key/value |
| fsuid | about.labels.key/value |
| fsgid | about.labels.key/value |
| suid | about.labels.key/value |
| sgid | about.labels.key/value |
| uptime | about.labels.key/value |
| eid | metadata.product_log_id |
gatekeeper
The following table lists the log fields and corresponding UDM mappings for the schema gatekeeper and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| assessments_enabled | about.labels.key/value |
| dev_id_enabled | about.labels.key/value |
| version | target.asset.software.version |
| opaque_version | about.labels.key/value |
gatekeeper_approved_apps
The following table lists the log fields and corresponding UDM mappings for the schema gatekeeper_approved_apps and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| requirement | about.labels.key/value |
| ctime | about.labels.key/value |
| mtime | target.resource.attribute.last_update_time |
groups
The following table lists the log fields and corresponding UDM mappings for the schema groups and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| gid | target.group.attribute.labels.key/value |
| gid_signed | target.group.attribute.labels.key/value |
| groupname | target.group.group_display_name |
| group_sid | target.group.product_object_id |
| comment | target.group.attribute.labels.key/value |
| is_hidden | target.group.attribute.labels.key/value |
| pid_with_namespace | target.group.attribute.labels.key/value |
hardware_events
The following table lists the log fields and corresponding UDM mappings for the schema hardware_events and OS Linux, macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| action | security_result.action_details |
| path | target.asset.attribute.labels.key/value |
| type | target.asset.attribute.labels.key/value |
| driver | target.asset.attribute.labels.key/value |
| vendor | target.asset.attribute.labels.key/value |
| vendor_id | target.asset.attribute.labels.key/value |
| model | target.asset.hardware.model |
| model_id | target.asset.attribute.labels.key/value |
| serial | target.asset.attribute.labels.key/value |
| revision | target.asset.attribute.labels.key/value |
| time | metadata.event_timestamp |
| eid | metadata.product_log_id |
hash
The following table lists the log fields and corresponding UDM mappings for the schema hash and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| directory | about.labels.key/value |
| md5 | target.file.md5 |
| sha1 | target.file.sha1 |
| sha256 | target.file.sha256 |
| pid_with_namespace | about.labels.key/value |
| mount_namespace_id | about.labels.key/value |
interface_addresses
The following table lists the log fields and corresponding UDM mappings for the schema interface_addresses and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| interface | about.labels.key/value |
| address | target.ip |
| mask | about.labels.key/value |
| broadcast | about.labels.key/value |
| point_to_point | about.labels.key/value |
| type | about.labels.key/value |
| friendly_name | about.labels.key/value |
interface_details
The following table lists the log fields and corresponding UDM mappings for the schema interface_details and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| interface | about.labels.key/value |
| mac | target.mac |
| type | about.labels.key/value |
| mtu | about.labels.key/value |
| metric | about.labels.key/value |
| flags | about.labels.key/value |
| ipackets | about.labels.key/value |
| opackets | about.labels.key/value |
| ibytes | network.sent_bytes |
| obytes | network.received_bytes |
| ierrors | about.labels.key/value |
| oerrors | about.labels.key/value |
| idrops | about.labels.key/value |
| odrops | about.labels.key/value |
| collisions | about.labels.key/value |
| last_change | about.labels.key/value |
| link_speed | about.labels.key/value |
| pci_slot | about.labels.key/value |
| friendly_name | about.labels.key/value |
| description | about.labels.key/value |
| manufacturer | target.asset.hardware.manufacturer |
| connection_id | about.labels.key/value |
| connection_status | about.labels.key/value |
| enabled | about.labels.key/value |
| physical_adapter | about.labels.key/value |
| speed | about.labels.key/value |
| service | target.application |
| dhcp_enabled | about.labels.key/value |
| dhcp_lease_expires | network.dhcp.lease_time_seconds |
| dhcp_lease_obtained | about.labels.key/value |
| dhcp_server | network.dhcp.yiaddr |
| dns_domain | network.dns.questions.name |
| dns_domain_suffix_search_order | about.labels.key/value |
| dns_host_name | about.labels.key/value |
| dns_server_search_order | about.labels.key/value |
interface_ipv6
The following table lists the log fields and corresponding UDM mappings for the schema interface_ipv6 and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| interface | about.labels.key/value |
| hop_limit | about.labels.key/value |
| forwarding_enabled | about.labels.key/value |
| redirect_accept | about.labels.key/value |
| rtadv_accept | about.labels.key/value |
iptables
The following table lists the log fields and corresponding UDM mappings for the schema iptables and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| filter_name | about.labels.key/value |
| chain | about.labels.key/value |
| policy | about.labels.key/value |
| target | about.labels.key/value |
| protocol | about.labels.key/value |
| src_port | src.port |
| dst_port | target.port |
| src_ip | src.ip |
| src_mask | about.labels.key/value |
| iniface | about.labels.key/value |
| iniface_mask | about.labels.key/value |
| dst_ip | target.ip |
| dst_mask | about.labels.key/value |
| outiface | about.labels.key/value |
| outiface_mask | about.labels.key/value |
| match | about.labels.key/value |
| packets | about.labels.key/value |
| bytes | network.received_bytes |
kernel_panics
The following table lists the log fields and corresponding UDM mappings for the schema kernel_panics and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| time | about.labels.key/value |
| registers | about.labels.key/value |
| frame_backtrace | about.labels.key/value |
| module_backtrace | about.labels.key/value |
| dependencies | about.labels.key/value |
| name | target.process.command_line |
| os_version | target.platform_version |
| kernel_version | about.labels.key/value |
| system_model | target.asset.hardware.model |
| uptime | about.labels.key/value |
| last_loaded | about.labels.key/value |
| last_unloaded | about.labels.key/value |
keychain_acls
The following table lists the log fields and corresponding UDM mappings for the schema keychain_acls and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| keychain_path | about.labels.key/value |
| authorizations | about.labels.key/value |
| path | target.file.full_path |
| description | metadata.description |
| label | about.labels.key/value |
known_hosts
The following table lists the log fields and corresponding UDM mappings for the schema known_hosts and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| uid | target.user.userid |
| key | about.labels.key/value |
| key_file | target.file.full_path |
last
The following table lists the log fields and corresponding UDM mappings for the schema last and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| username | target.user.user_display_name |
| tty | about.labels.key/value |
| pid | target.process.pid |
| type | about.labels.key/value |
| type_name | about.labels.key/value |
| time | about.labels.key/value |
| host | target.hostname |
listening_ports
The following table lists the log fields and corresponding UDM mappings for the schema listening_ports and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| pid | target.process.pid |
| port | target.port |
| protocol | network.ip_protocol |
| family | about.labels.key/value |
| address | target.ip |
| fd | about.labels.key/value |
| socket | about.labels.key/value |
| path | target.process.file.full_path |
| net_namespace | about.labels.key/value |
logged_in_users
The following table lists the log fields and corresponding UDM mappings for the schema logged_in_users and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| type | about.labels.key/value |
| user | target.user.userid |
| tty | about.labels.key/value |
| host | target.hostname |
| time | about.labels.key/value |
| pid | target.process.pid |
| sid | about.labels.key/value |
| registry_hive | about.labels.key/value |
logon_sessions
The following table lists the log fields and corresponding UDM mappings for the schema logon_sessions and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| logon_id | about.labels.key/value |
| user | target.user.user_display_name |
| logon_domain | about.labels.key/value |
| authentication_package | about.labels.key/value |
| logon_type | about.labels.key/value |
| session_id | network.session_id |
| logon_sid | about.labels.key/value |
| logon_time | about.labels.key/value |
| logon_server | about.labels.key/value |
| dns_domain_name | network.dns_domain |
| upn | about.labels.key/value |
| logon_script | about.labels.key/value |
| profile_path | target.file.full_path |
| home_directory | about.labels.key/value |
| home_directory_drive | about.labels.key/value |
lxd_certificates
The following table lists the log fields and corresponding UDM mappings for the schema lxd_certificates and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | security_result.detection_fields.key/value |
| type | security_result.detection_fields.key/value |
| fingerprint | security_result.detection_fields.key/value |
| certificate | security_result.detection_fields.key/value |
lxd_networks
The following table lists the log fields and corresponding UDM mappings for the schema lxd_networks and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | about.labels.key/value |
| type | about.labels.key/value |
| managed | about.labels.key/value |
| ipv4_address | about.labels.key/value |
| ipv6_address | about.labels.key/value |
| used_by | about.labels.key/value |
| bytes_received | network.received_bytes |
| bytes_sent | network.sent_bytes |
| packets_received | about.labels.key/value |
| packets_sent | about.labels.key/value |
| hwaddr | about.labels.key/value |
| state | about.labels.key/value |
| mtu | about.labels.key/value |
managed_policies
The following table lists the log fields and corresponding UDM mappings for the schema managed_policies and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| domain | target.administrative_domain |
| uuid | about.labels.key/value |
| name | about.labels.key/value |
| value | about.labels.key/value |
| username | target.user.user_display_name |
| manual | about.labels.key/value |
memory_devices
The following table lists the log fields and corresponding UDM mappings for the schema memory_devices and OS Linux, macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| handle | about.labels.key/value |
| array_handle | about.labels.key/value |
| form_factor | about.labels.key/value |
| total_width | about.labels.key/value |
| data_width | about.labels.key/value |
| size | about.labels.key/value |
| set | about.labels.key/value |
| device_locator | about.labels.key/value |
| bank_locator | about.labels.key/value |
| memory_type | about.labels.key/value |
| memory_type_details | about.labels.key/value |
| max_speed | about.labels.key/value |
| configured_clock_speed | about.labels.key/value |
| manufacturer | target.asset.hardware.manufacturer |
| serial_number | target.asset.hardware.serial_number |
| asset_tag | target.asset.asset_id |
| part_number | about.labels.key/value |
| min_voltage | about.labels.key/value |
| max_voltage | about.labels.key/value |
| configured_voltage | about.labels.key/value |
ntdomains
The following table lists the log fields and corresponding UDM mappings for the schema ntdomains and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | about.labels.key/value |
| client_site_name | about.labels.key/value |
| dc_site_name | about.labels.key/value |
| dns_forest_name | network.dns.questions.name |
| domain_controller_address | target.ip |
| domain_controller_name | about.labels.key/value |
| domain_name | target.administrative_domain |
| status | about.labels.key/value |
ntfs_acl_permissions
The following table lists the log fields and corresponding UDM mappings for the schema ntfs_acl_permissions and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| type | about.labels.key/value |
| principal | about.labels.key/value |
| access | about.labels.key/value |
| inherited_from | about.labels.key/value |
os_version
The following table lists the log fields and corresponding UDM mappings for the schema os_version and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | about.labels.key/value |
| version | principal.platform_version |
| major | about.labels.key/value |
| minor | about.labels.key/value |
| patch | principal.platform_patch_level |
| build | about.labels.key/value |
| platform | principal.platform |
| platform_like | about.labels.key/value |
| codename | about.labels.key/value |
| arch | about.labels.key/value |
| install_date | about.labels.key/value |
| pid_with_namespace | about.labels.key/value |
| mount_namespace_id | about.labels.key/value |
osquery_events
The following table lists the log fields and corresponding UDM mappings for the schema osquery_events and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | target.resource.name |
| publisher | about.label.key/value |
| type | about.label.key/value |
| subscriptions | about.label.key/value |
| events | about.label.key/value |
| refreshes | about.label.key/value |
| active | about.label.key/value |
patches
The following table lists the log fields and corresponding UDM mappings for the schema patches and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| csname | target.hostname |
| hotfix_id | about.labels.key/value |
| caption | about.labels.key/value |
| description | metadata.description |
| fix_comments | about.labels.key/value |
| installed_by | about.labels.key/value |
| install_date | about.labels.key/value |
| installed_on | about.labels.key/value |
pci_devices
The following table lists the log fields and corresponding UDM mappings for the schema pci_devices and OS Linux, macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| pci_slot | principal.labels.key/value |
| pci_class | principal.labels.key/value |
| driver | principal.labels.key/value |
| vendor | principal.labels.key/value |
| vendor_id | principal.labels.key/value |
| model | principal.asset.hardware.model |
| model_id | principal.labels.key/value |
| subsystem | principal.labels.key/value |
| express | principal.labels.key/value |
| thunderbolt | principal.labels.key/value |
| removable | principal.labels.key/value |
| pci_class_id | principal.labels.key/value |
| pci_subclass_id | principal.labels.key/value |
| pci_subclass | principal.labels.key/value |
| subsystem_vendor_id | principal.labels.key/value |
| subsystem_vendor | principal.labels.key/value |
| subsystem_model_id | principal.labels.key/value |
| subsystem_model | principal.labels.key/value |
pipes
The following table lists the log fields and corresponding UDM mappings for the schema pipes and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| pid | target.process.pid |
| name | target.resource.name |
| instances | about.labels.key/value |
| max_instances | about.labels.key/value |
| flags | about.labels.key/value |
powershell_events
The following table lists the log fields and corresponding UDM mappings for the schema powershell_events and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| time | metadata.collected_timestamp |
| datetime | about.labels.key/value |
| script_block_id | about.labels.key/value |
| script_block_count | about.labels.key/value |
| script_text | about.labels.key/value |
| script_name | about.labels.key/value |
| script_path | target.file.full_path |
| cosine_similarity | about.labels.key/value |
process_envs
The following table lists the log fields and corresponding UDM mappings for the schema process_envs and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| pid | target.process.pid |
| key | about.labels.key |
| value | about.labels.value |
process_events
The following table lists the log fields and corresponding UDM mappings for the schema process_events and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| version | target.platform_version |
| seq_num | about.labels.key/value |
| global_seq_num | about.labels.key/value |
| pid | target.process.pid |
| path | target.file.full_path |
| parent | target.process.parent_process.pid |
| original_parent | about.labels.key/value |
| cmdline | target.process.command_line |
| cmdline_count | about.labels.key/value |
| env | about.labels.key/value |
| env_count | about.labels.key/value |
| cwd | about.labels.key/value |
| uid | target.user.userid |
| euid | about.labels.key/value |
| gid | target.group.product_object_id |
| egid | about.labels.key/value |
| username | target.user.user_display_name |
| signing_id | about.labels.key/value |
| team_id | about.labels.key/value |
| cdhash | about.labels.key/value |
| platform_binary | about.labels.key/value |
| exit_code | about.labels.key/value |
| child_pid | about.labels.key/value |
| time | about.labels.key/value |
| event_type | about.labels.key/value |
| eid | about.labels.key/value |
process_file_events
The following table lists the log fields and corresponding UDM mappings for the schema process_file_events and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| operation | about.labels.key/value |
| pid | target.process.pid |
| ppid | target.process.parent_process.pid |
| time | about.labels.key/value |
| executable | about.labels.key/value |
| partial | about.labels.key/value |
| cwd | about.labels.key/value |
| path | target.file.full_path |
| dest_path | about.labels.key/value |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| auid | about.labels.key/value |
| euid | about.labels.key/value |
| egid | about.labels.key/value |
| fsuid | about.labels.key/value |
| fsgid | about.labels.key/value |
| suid | about.labels.key/value |
| sgid | about.labels.key/value |
| uptime | about.labels.key/value |
| eid | metadata.product_log_id |
process_open_sockets
The following table lists the log fields and corresponding UDM mappings for the schema process_open_sockets and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| pid | principal.process.pid |
| fd | about.labels.key/value |
| socket | about.labels.key/value |
| family | about.labels.key/value |
| protocol | about.labels.key/value |
| local_address | principal.ip |
| remote_address | target.ip |
| local_port | principal.port |
| remote_port | target.port |
| path | target.file.full_path |
| state | about.labels.key/value |
| net_namespace | about.labels.key/value |
processes
The following table lists the log fields and corresponding UDM mappings for the schema processes and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| pid | target.process.pid |
| name | about.labels.key/value |
| path | target.process.file.full_path |
| cmdline | target.process.command_line |
| state | target.process.attribute.labels.key/value |
| cwd | about.labels.key/value |
| root | about.labels.key/value |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| euid | about.labels.key/value |
| egid | about.labels.key/value |
| suid | about.labels.key/value |
| sgid | about.labels.key/value |
| on_disk | about.labels.key/value |
| wired_size | about.labels.key/value |
| resident_size | about.labels.key/value |
| total_size | about.labels.key/value |
| user_time | about.labels.key/value |
| system_time | about.labels.key/value |
| disk_bytes_read | about.labels.key/value |
| disk_bytes_written | about.labels.key/value |
| start_time | about.labels.key/value |
| parent | target.process.parent_process.pid |
| pgroup | about.labels.key/value |
| threads | about.labels.key/value |
| nice | about.labels.key/value |
| elevated_token | about.labels.key/value |
| secure_process | about.labels.key/value |
| protection_type | about.labels.key/value |
| virtual_process | about.labels.key/value |
| elapsed_time | about.labels.key/value |
| handle_count | about.labels.key/value |
| percent_processor_time | about.labels.key/value |
| upid | about.labels.key/value |
| uppid | about.labels.key/value |
| cpu_type | about.labels.key/value |
| cpu_subtype | about.labels.key/value |
programs
The following table lists the log fields and corresponding UDM mappings for the schema programs and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | target.resource.name |
| version | target.platform_version |
| install_location | about.labels.key/value |
| install_source | about.labels.key/value |
| language | about.labels.key/value |
| publisher | about.labels.key/value |
| uninstall_string | target.file.full_path |
| install_date | about.labels.key/value |
| identifying_number | about.labels.key/value |
scheduled_tasks
The following table lists the log fields and corresponding UDM mappings for the schema scheduled_tasks and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | target.resource.name |
| action | security_result.action_details |
| path | target.file.full_path |
| enabled | about.labels.key/value |
| state | about.labels.key/value |
| hidden | about.labels.key/value |
| last_run_time | about.labels.key/value |
| next_run_time | about.labels.key/value |
| last_run_message | about.labels.key/value |
| last_run_code | about.labels.key/value |
seccomp_events
The following table lists the log fields and corresponding UDM mappings for the schema seccomp_events and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| time | about.labels.key/value |
| uptime | about.labels.key/value |
| auid | about.labels.key/value |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| ses | about.labels.key/value |
| pid | target.process.pid |
| comm | about.labels.key/value |
| exe | target.file.full_path |
| sig | about.labels.key/value |
| arch | about.labels.key/value |
| syscall | about.labels.key/value |
| compat | about.labels.key/value |
| ip | about.labels.key/value |
| code | about.labels.key/value |
seLinux_events
The following table lists the log fields and corresponding UDM mappings for the schema seLinux_events and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| type | about.labels.key/value |
| message | metadata.description |
| time | about.labels.key/value |
| uptime | about.labels.key/value |
| eid | metadata.product_log_id |
shadow
The following table lists the log fields and corresponding UDM mappings for the schema shadow and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| password_status | about.labels.key/value |
| hash_alg | about.labels.key/value |
| last_change | about.labels.key/value |
| min | about.labels.key/value |
| max | about.labels.key/value |
| warning | about.labels.key/value |
| inactive | about.labels.key/value |
| expire | about.labels.key/value |
| flag | about.labels.key/value |
| username | principal.user.user_display_name |
shell_history
The following table lists the log fields and corresponding UDM mappings for the schema shell_history and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| uid | principal.user.userid |
| time | about.labels.key/value |
| command | principal.process.command_line |
| history_file | principal.process.file.full_path |
shimcache
The following table lists the log fields and corresponding UDM mappings for the schema shimcache and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| entry | about.labels.key/value |
| path | target.file.full_path |
| modified_time | target.file.last_modification_time |
| execution_flag | about.labels.key/value |
signature
The following table lists the log fields and corresponding UDM mappings for the schema signature and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| hash_resources | about.labels.key/value |
| arch | about.labels.key/value |
| signed | target.file.pe_file.signature_info.verified |
| identifier | target.file.pe_file.signature_info.signer |
| cdhash | about.labels.key/value |
| team_identifier | about.labels.key/value |
| authority | about.labels.key/value |
sip_config
The following table lists the log fields and corresponding UDM mappings for the schema sip_config and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| config_flag | about.labels.key/value |
| enabled | about.labels.key/value |
| enabled_nvram | about.labels.key/value |
socket_events
The following table lists the log fields and corresponding UDM mappings for the schema socket_events and OS Linux, macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| action | security_result.action_details |
| pid | target.process.pid |
| path | target.process.file.full_path |
| fd | about.labels.key/value |
| auid | target.user.userid |
| status | about.labels.key/value |
| family | about.labels.key/value |
| protocol | about.labels.key/value |
| local_address | principal.ip |
| remote_address | target.ip |
| local_port | principal.port |
| remote_port | target.port |
| socket | about.labels.key/value |
| time | about.labels.key/value |
| uptime | about.labels.key/value |
| eid | metadata.product_log_id |
| success | about.labels.key/value |
sudoers
The following table lists the log fields and corresponding UDM mappings for the schema sudoers and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| source | about.labels.key/value |
| header | about.labels.key/value |
| rule_details | about.labels.key/value |
syslog_events
The following table lists the log fields and corresponding UDM mappings for the schema syslog_events and OS Linux:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| time | about.labels.key/value |
| datetime | about.labels.key/value |
| host | target.hostname |
| severity | security_result.severity (enum) |
| facility | about.labels.key/value |
| tag | about.labels.key/value |
| message | about.labels.key/value |
| eid | metadata.product_log_id |
system_info
The following table lists the log fields and corresponding UDM mappings for the schema system_info and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| hostname | principal.administrative_domain |
| uuid | about.labels.key/value |
| cpu_type | about.labels.key/value |
| cpu_subtype | about.labels.key/value |
| cpu_brand | about.labels.key/value |
| cpu_physical_cores | about.labels.key/value |
| cpu_logical_cores | principal.asset.hardware.cpu_number_cores |
| cpu_microcode | about.labels.key/value |
| physical_memory | about.labels.key/value |
| hardware_vendor | about.labels.key/value |
| hardware_model | principal.asset.hardware.model |
| hardware_version | about.labels.key/value |
| hardware_serial | principal.asset.hardware.serial_number |
| board_vendor | about.labels.key/value |
| board_model | about.labels.key/value |
| board_version | about.labels.key/value |
| board_serial | about.labels.key/value |
| computer_name | about.labels.key/value |
| local_hostname | about.labels.key/value |
tpm_info
The following table lists the log fields and corresponding UDM mappings for the schema tpm_info and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| activated | about.labels.key/value |
| enabled | about.labels.key/value |
| owned | about.labels.key/value |
| manufacturer_version | about.labels.key/value |
| manufacturer_id | about.labels.key/value |
| manufacturer_name | principal.aseet.hardware.manufacturer |
| product_name | principal.resource.name |
| physical_presence_version | about.labels.key/value |
| spec_version | about.labels.key/value |
usb_devices
The following table lists the log fields and corresponding UDM mappings for the schema usb_devices and OS Linux, macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| usb_address | about.labels.key/value |
| usb_port | about.labels.key/value |
| vendor | about.labels.key/value |
| vendor_id | about.labels.key/value |
| version | about.labels.key/value |
| model | target.asset.hardware.model |
| model_id | about.labels.key/value |
| serial | target.asset.hardware.serial_number |
| class | about.labels.key/value |
| subclass | about.labels.key/value |
| protocol | about.labels.key/value |
| removable | about.labels.key/value |
user_events
The following table lists the log fields and corresponding UDM mappings for the schema user_events and OS Linux, macOS, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| uid | principal.user.userid |
| auid | principal.user.attribute.labels.key/value |
| pid | target.process.pid |
| message | metadata.description |
| type | about.labels.key/value |
| path | target.file.full_path |
| address | about.labels.key/value |
| terminal | about.labels.key/value |
| time | metadata.collected_timestamp |
| uptime | about.labels.key/value |
| eid | metadata.product_log_id |
user_groups
The following table lists the log fields and corresponding UDM mappings for the schema user_groups and OS Linux, macOS, Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| uid | principal.user.userid |
| gid | principal.group.product_object_id |
users
The following table lists the log fields and corresponding UDM mappings for the schema users and OS macOS, Linux, Windows, freebsd:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| uid | principal.user.userid |
| gid | principal.user.group_identifiers(repeated) |
| uid_signed | about.labels.key/value |
| gid_signed | about.labels.key/value |
| username | principal.user.user_display_name |
| description | about.labels.key/value |
| directory | about.labels.key/value |
| shell | about.labels.key/value |
| uuid | principal.user.product_object_id |
| type | about.labels.key/value |
| is_hidden | about.labels.key/value |
| pid_with_namespace | about.labels.key/value |
wifi_networks
The following table lists the log fields and corresponding UDM mappings for the schema wifi_networks and OS macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| ssid | target.labels.key/value |
| network_name | target.labels.key/value |
| security_type | target.labels.key/value |
| last_connected | about.labels.key/value |
| passpoint | about.labels.key/value |
| possibly_hidden | about.labels.key/value |
| roaming | about.labels.key/value |
| roaming_profile | about.labels.key/value |
| captive_portal | about.labels.key/value |
| auto_login | target.labels.key/value |
| temporarily_disabled | target.labels.key/value |
| disabled | target.labels.key/value |
windows_crashes
The following table lists the log fields and corresponding UDM mappings for the schema Windows_crashes and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| datetime | about.labels.key/value |
| module | about.labels.key/value |
| path | target.process.file.full_path |
| pid | target.process.pid |
| tid | about.labels.key/value |
| version | about.labels.key/value |
| process_uptime | about.labels.key/value |
| stack_trace | about.labels.key/value |
| exception_code | about.labels.key/value |
| exception_message | about.labels.key/value |
| exception_address | about.labels.key/value |
| registers | about.labels.key/value |
| command_line | target.process.command_line |
| current_directory | about.labels.key/value |
| username | target.user.user_display_name |
| machine_name | about.labels.key/value |
| major_version | about.labels.key/value |
| minor_version | about.labels.key/value |
| build_number | target.platform_version |
| type | about.labels.key/value |
| crash_path | about.labels.key/value |
windows_eventlog
The Windows Event (WINEVTLOG) parser maps these events. See Collect Microsoft Windows Event data for more information."
windows_events
The Windows Event (WINEVTLOG) parser maps these events. See Collect Microsoft Windows Event data for more information.
windows_firewall_rules
The following table lists the log fields and corresponding UDM mappings for the schema Windows_firewall_rules and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | about.labels.key/value |
| app_name | target.application |
| action | security_result.action (enum) |
| enabled | about.labels.key/value |
| grouping | about.labels.key/value |
| direction | network.direction |
| protocol | network.ip_protocol |
| local_addresses | principal.ip |
| remote_addresses | target.ip |
| local_ports | principal.port |
| remote_ports | target.port |
| icmp_types_codes | about.labels.key/value |
| profile_domain | about.labels.key/value |
| profile_private | about.labels.key/value |
| profile_public | about.labels.key/value |
| service_name | about.labels.key/value |
windows_security_center
The following table lists the log fields and corresponding UDM mappings for the schema Windows_security_center and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| firewall | security_result.detection_fields.key/value |
| autoupdate | security_result.detection_fields.key/value |
| antivirus | security_result.detection_fields.key/value |
| antispyware | security_result.detection_fields.key/value |
| internet_settings | security_result.detection_fields.key/value |
| Windows_security_center_service | security_result.detection_fields.key/value |
| user_account_control | security_result.detection_fields.key/value |
windows_security_products
The following table lists the log fields and corresponding UDM mappings for the schema Windows_security_products and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| type | about.labels.key/value |
| name | target.resource.name |
| state | about.labels.key/value |
| state_timestamp | about.labels.key/value |
| remediation_path | about.labels.key/value |
| signatures_up_to_date | about.labels.key/value |
wmi_bios_info
The following table lists the log fields and corresponding UDM mappings for the schema wmi_bios_info and OS Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| name | about.labels.key/value |
| value | about.labels.key/value |
yara
The following table lists the log fields and corresponding UDM mappings for the schema yara and OS Linux, macOS, freebsd, Windows:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| path | target.file.full_path |
| matches | about.labels.key/value |
| count | about.labels.key/value |
| sig_group | security_result.detection_fields.key/value |
| sigfile | security_result.detection_fields.key/value |
| sigrule | security_result.detection_fields.key/value |
| strings | about.labels.key/value |
| tags | about.labels.key/value |
| sigurl | security_result.detection_fields.key/value |
yara_events
The following table lists the log fields and corresponding UDM mappings for the schema yara_events and OS Linux, macOS:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION | |
| target_path | target.file.full_path |
| category | about.labels.key/value |
| action | security_result.action_details |
| transaction_id | security_result.detection_fields.key/value |
| matches | about.labels.key/value |
| count | about.labels.key/value |
| strings | about.labels.key/value |
| tags | about.labels.key/value |
| time | about.labels.key/value |
| eid | metadata.product_log_id |
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-04-25 UTC.