Diese Seite wurde von der Cloud Translation API übersetzt.

Microsoft Windows AD-Daten erfassen

Unterstützt in:

Google SecOps SIEM

Dieses Dokument enthält die folgenden Informationen:

Bereitstellungsarchitektur und Installationsschritte sowie alle erforderlichen Konfigurationen, die Protokolle für Microsoft Windows Active Directory-Ereignisse generieren, die vom Google Security Operations-Parser unterstützt werden. Eine Übersicht über die Datenaufnahme in Google Security Operations finden Sie unter Datenaufnahme in Google Security Operations.
Informationen dazu, wie der Parser Felder im ursprünglichen Protokoll den Feldern des einheitlichen Datenmodells von Google Security Operations zuordnet.

Konfigurieren Sie den BindPlane-Agent oder den NXLog-Agent entsprechend Ihrer Bereitstellungsarchitektur, um Microsoft Windows Active Directory-Logs in Google Security Operations aufzunehmen. Wir empfehlen, den BindPlane-Agent zu verwenden, um die Logs des Windows Active Directory an Google Security Operations weiterzuleiten.

Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Datenaufnahmelabel WINDOWS_AD. Das Aufnahmelabel gibt an, welcher Parser Roh-Logdaten in das strukturierte UDM-Format normalisiert.

Hinweise

Führen Sie die folgenden Aufgaben aus, bevor Sie den BindPlane- oder NXLog-Agenten konfigurieren:

Konfigurieren Sie alle Systeme so, dass die Zeitzone UTC verwendet wird.
Microsoft Windows AD-Server konfigurieren
Unterstützte Geräte und Versionen ansehen
Unterstützte Logtypen ansehen

Microsoft Windows AD-Server konfigurieren

Erstellen und konfigurieren Sie auf jedem Microsoft Windows Active Directory-Server ein PowerShell-Script, um die Protokolldaten in einer Ausgabedatei zu speichern. Der BindPlane-Agent oder NXLog liest die Ausgabedatei.

# Set the location where the log file will be written
$OUTPUT_FILENAME="<Path_of_the_output_file>"

If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue}

# USER_CONTEXT: Gets all Active Directory users and their properties.
Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }

# ASSET_CONTEXT: Gets all Active Directory assets and their properties.
Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }

Ersetzen Sie Folgendes :
- Ersetzen Sie den Wert von $OUTPUT_FILENAME durch den Speicherort der Ausgabedatei.
- Speichern Sie die Daten im JSON-Format.
- Legen Sie die Codierung auf UTF-8 fest.
- Verwenden Sie beim Aufrufen der Cmdlets Get-ADUser und Get-ADComputer den Parameter -Filter anstelle des Parameters -LDAPFilter.
Erstellen Sie eine wiederkehrende Aufgabe, die das Script ausführt, um Daten abzurufen und in die Ausgabedatei zu schreiben.
1. Öffnen Sie den Taskplaner.
2. Klicken Sie auf Aufgabe erstellen.
3. Geben Sie einen Namen und eine Beschreibung für die Aufgabe ein.
4. Klicken Sie das Kästchen Mit höchsten Berechtigungen ausführen an, damit alle Daten abgerufen werden.
5. Legen Sie auf dem Tab Trigger fest, wann die Aufgabe wiederholt werden soll.
6. Fügen Sie auf dem Tab Aktion eine neue Aktion hinzu und geben Sie den Pfad zur Datei an, in der das Script gespeichert ist.

Unterstützte Geräte und Versionen ansehen

Microsoft Windows Server wird in den folgenden Versionen veröffentlicht: Foundation, Essentials, Standard und Datacenter. Das Ereignisschema der Protokolle, die von den einzelnen Versionen generiert werden, unterscheidet sich nicht.

Der Google Security Operations-Parser unterstützt Protokolle der folgenden Microsoft Windows-Serverversionen:

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

Der Google Security Operations-Parser unterstützt Logs, die mit der NXLog Community Edition oder Enterprise Edition erfasst werden.

Unterstützte Logtypen ansehen

Der Google Security Operations-Parser analysiert und normalisiert Daten, die aus dem Nutzerkontext und dem Asset-Kontext abgerufen wurden. Es werden nur Protokolle unterstützt, die in englischer Sprache erstellt wurden.

BindPlane-Agent konfigurieren

Wir empfehlen, die Logs des Windows Active Directory mit dem BindPlane-Agent an Google Security Operations weiterzuleiten.

Nach der Installation wird der BindPlane-Agentdienst in der Liste der Windows-Dienste als Dienst observIQ angezeigt.

Installieren Sie den BindPlane-Agent auf jedem Windows Active Directory-Server. Weitere Informationen zur Installation des BindPlane-Agents finden Sie in der Anleitung zur Installation des BindPlane-Agents.

Erstellen Sie eine Konfigurationsdatei für den BindPlane-Agenten mit folgendem Inhalt:

receivers:
  filelog:
    include: [ `FILE_PATH` ]
    operators:
      - type: json_parser
    start_at: beginning
  windowseventlog/activedirectoryservice:
    channel: Directory Service
    raw: true
processors:
  batch:

exporters:
  chronicle/activedirectory:
    endpoint: https://malachiteingestion-pa.googleapis.com
    creds: '{
    "type": "service_account",
    "project_id": "malachite-projectname",
    "private_key_id": `PRIVATE_KEY_ID`,
    "private_key": `PRIVATE_KEY`,
    "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "client_id": `CLIENT_ID`,
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "universe_domain": "googleapis.com"
    }'
  log_type: 'WINDOWS_AD'
  override_log_type: false
  raw_log_field: body
  customer_id: `CUSTOMER_ID`

service:
  pipelines:
    logs/ads:
      receivers:
        - filelog
        - windowseventlog/activedirectoryservice
      processors: [batch]
      exporters: [chronicle/activedirectory]

Ersetzen Sie Folgendes :
- FILE_PATH mit dem Pfad zur Datei, in der die Ausgabe des PowerShell-Scripts gespeichert wurde, das unter Microsoft Windows AD-Server konfigurieren erwähnt wurde.
- PRIVATE_KEY_ID, PRIVATE_KEY, SERVICSERVICE_ACCOUNT_NAME, PROJECT_ID, CLIENT_ID und CUSTOMER_ID mit den entsprechenden Werten aus der JSON-Datei des Dienstkontos, die Sie unter Google Cloudherunterladen können. Weitere Informationen zu Dienstkontoschlüsseln finden Sie unter Dienstkontoschlüssel erstellen und löschen.
Wählen Sie zum Starten des observIQ-Agentendiensts Dienste > Erweitert > observIQ-Dienst > Starten aus.

NXLog konfigurieren

Das folgende Diagramm zeigt eine Architektur, in der NXLog-Agenten installiert sind, um Microsoft Windows-Ereignisse zu erfassen und an Google Security Operations zu senden. Vergleichen Sie diese Informationen mit Ihrer Umgebung, um sicherzustellen, dass diese Komponenten installiert sind. Ihre Bereitstellung kann sich von dieser Architektur unterscheiden und komplexer sein.

Aufnahme über NXLog-Forwarder

Wenn Sie den NXLog-Agent anstelle des BindPlane-Agents verwenden, prüfen Sie Folgendes:

Auf jedem Microsoft Windows-Server, auf dem Active Directory ausgeführt wird, wird ein PowerShell-Script erstellt und konfiguriert, um USER_CONTEXT- und ASSET_CONTEXT-Daten zu erfassen. Weitere Informationen finden Sie unter Microsoft Windows AD-Server konfigurieren.
NXLog wird auf jedem Microsoft Windows AD-Server installiert, um Daten an den zentralen Microsoft Windows-Server oder Linux-Server zu senden.
Der Google Security Operations-Weiterleiter wird auf dem zentralen Microsoft Windows- oder Linux-Server installiert, um Logdaten an Google Security Operations weiterzuleiten.

NXLog konfigurieren

Installieren Sie den NXLog-Agent auf jedem Collector, der auf dem Windows Active Directory-Server ausgeführt wird. Diese Anwendung leitet Protokolle an den zentralen Microsoft Windows- oder Linux-Server weiter. Weitere Informationen finden Sie in der NXLog-Dokumentation.
Erstellen Sie eine Konfigurationsdatei für jede NXLog-Instanz. Verwenden Sie das NXLog-im_file-Modul, um die Datei zu lesen und die Zeilen in Felder zu parsen. Verwenden Sie om_tcp, um Daten an den zentralen Microsoft Windows- oder Linux-Server weiterzuleiten.

Das folgende Beispiel zeigt eine NXLog-Konfiguration. Ersetzen Sie die Werte <hostname> und <port> durch Informationen zum zentralen Microsoft Windows- oder Linux-Server des Ziels. Fügen Sie im Bereich <Input in_adcontext> und in der Eigenschaft File den Pfad zur Ausgabeprotokolldatei hinzu, die vom PowerShell-Script erstellt wurde. Legen Sie immer DirCheckInterval und PollInterval fest. Wenn diese nicht definiert sind, sucht NXLog alle 1 Sekunde nach Dateien.
```
define ROOT C:\Program Files\nxlog
define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <hostname>
define ADCONTEXT_OUTPUT_DESTINATION_PORT <port>

Moduledir   %ROOT%\modules
CacheDir    %ROOT%\data
Pidfile     %ROOT%\data\nxlog.pid
SpoolDir    %ROOT%\data
LogFile     %ROOT%\data\nxlog.log

<Input in_adcontext>
    Module im_file
    File "<Path_of_the_output_file>"
    DirCheckInterval 3600
    PollInterval 3600
</Input>

<Output out_chronicle_adcontext>
    Module  om_tcp
    Host    %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS%
    Port    %ADCONTEXT_OUTPUT_DESTINATION_PORT%
</Output>

<Route ad_context_to_chronicle>
    Path in_adcontext => out_chronicle_adcontext
</Route>
```
Starten Sie den NXLog-Dienst auf jedem System.

Weiterleitung auf einem zentralen Server konfigurieren

Informationen zum Installieren und Konfigurieren des Brokers unter Linux finden Sie unter Installation und Konfiguration des Brokers unter Linux. Informationen zum Installieren und Konfigurieren des Brokers unter Microsoft Windows finden Sie unter Installation und Konfiguration des Brokers unter Microsoft Windows.

Konfigurieren Sie das System mit der Zeitzone UTC.
Installieren Sie den Google Security Operations-Weiterleitungsdienst auf dem zentralen Microsoft Windows- oder Linux-Server.

Konfigurieren Sie den Google Security Operations-Weiterleiter so, dass Protokolle an Google Security Operations gesendet werden. Im Folgenden finden Sie eine Beispielkonfiguration für einen Weiterleiter:

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_AD
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Referenz zur Feldzuordnung: Geräteprotokollfelder zu UDM-Feldern

In diesem Abschnitt wird beschrieben, wie der Parser die ursprünglichen Protokollfelder den Feldern des einheitlichen Datenmodells zuordnet.

Referenz für die Feldzuordnung: WINDOWS_AD

In der folgenden Tabelle sind die Protokollfelder des WINDOWS_AD-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field	UDM mapping	Logic
	`metadata.entity_type`	If the `ObjectClass` log field value is equal to `user` or is empty, then the `metadata.entity_type` UDM field is set to `USER`. Else, if the `ObjectClass` log field value is equal to `computer`, then the `metadata.entity_type` UDM field is set to `ASSET`.
`ObjectGuid`	`entity.user.product_object_id`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `ObjectGuid` log field value is not empty, then the `ObjectGuid` log field is mapped to the `entity.user.product_object_id` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `ObjectGuid` log field value is not empty, then the `ObjectGuid` log field is mapped to the `entity.asset.product_object_id` UDM field.
`whenCreated`	`metadata.creation_timestamp`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `whenCreated` log field value is not empty, then `when_created` is extracted from the `whenCreated` log field using a Grok pattern, and mapped to the `entity.asset.attribute.creation_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `whenCreated` log field value is not empty, then `when_created` is extracted from the `whenCreated` log field using a Grok pattern, and mapped to the `metadata.creation_timestamp` UDM field. Else, `timestamp tz_left tz_right` is extracted from the `whenCreated` log field using a Grok pattern, and mapped to the `entity.asset.attribute.creation_time` UDM field.
`DisplayName`	`entity.user.user_display_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `DisplayName` log field value is not empty, then the `DisplayName` log field is mapped to the `entity.user.user_display_name` UDM field.
`GivenName`	`entity.user.first_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `GivenName` log field value is not empty, then the `GivenName` log field is mapped to the `entity.user.first_name` UDM field.
`SamAccountName`	`entity.user.userid`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `SamAccountName` log field value is not empty, then the `SamAccountName` log field is mapped to the `entity.user.userid` UDM field. If the `ObjectClass` log field value is equal to `computer`, then the `SamAccountName` log field is mapped to the `entity.asset.asset_id` UDM field.
`EmployeeID`	`entity.user.employee_id`	If the `EmployeeID` log field value is not empty, then the `EmployeeID` log field is mapped to the `entity.user.employee_id` UDM field. Else the `employeeID.0` log field is mapped to the `entity.user.employee_id` UDM field.
`Title`	`entity.user.title`	If the `Title` log field value is not empty, then the `Title` log field is mapped to the `entity.user.title` UDM field.
`Surname`	`entity.user.last_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Surname` log field value is not empty, then if the `sn` log field is mapped to the `entity.user.last_name` UDM field. Else if`Surname` log field value is not empty, then the `Surname` log field is mapped to the `entity.user.last_name` UDM field.
`Company`	`entity.user.company_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Company` log field value is not empty, then the `Company` log field is mapped to the `entity.user.company_name` UDM field.
`City`	`entity.user.personal_address.city`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `City` log field value is not empty, then the `City` log field is mapped to the `entity.user.personal_address.city` UDM field.
`Department`	`entity.user.department`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Department` log field value is not empty, then the `Department` log field is mapped to the `entity.user.department` UDM field.
	`entity.user.email_addresses`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `EmailAddress` log field value is not empty, then the `EmailAddress` log field is mapped to the `entity.user.email_addresses` UDM field. Else, if the `mail` log field value is not empty, then the `mail` log field is mapped to the `entity.user.email_addresses` UDM field.
`HomePhone`	`entity.user.phone_numbers`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `HomePhone` log field value is not empty, then the `HomePhone` log field is mapped to the `entity.user.phone_numbers` UDM field. Else if the `telephoneNumber` log field value is not empty, then the `telephoneNumber` log field is mapped to the `entity.user.phone_numbers` UDM field. If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MobilePhone` log field value is not empty, then the `MobilePhone` log field is mapped to the `entity.user.phone_numbers` UDM field.
`StreetAddress`	`entity.user.personal_address.name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `StreetAddress` log field value is not empty, then the `StreetAddress` log field is mapped to the `entity.user.personal_address.name` UDM field.
`State`	`entity.user.personal_address.state`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `State` log field value is not empty, then the `State` log field is mapped to the `entity.user.personal_address.state` UDM field.
`Country`	`entity.user.personal_address.country_or_region`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Country` log field value is not empty, then the `Country` log field is mapped to the `entity.user.personal_address.country_or_region` UDM field.
`Office`	`entity.user.office_address.name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Office` log field value is not empty, then the `Office` log field is mapped to the `entity.user.office_address.name` UDM field.
`HomeDirectory`	`entity.file.full_path`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `HomeDirectory` log field value is not empty, then the `HomeDirectory` log field is mapped to the `entity.file.full_path` UDM field.
	`entity.user.managers.user_display_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Manager` log field value is not empty, then `manager_name` is extracted from the `Manager` log field using a Grok pattern, and mapped to the `entity.user.managers.user_display_name` UDM field.
	`entity.user.windows_sid`	If the `SID.Value` log field value is not empty, then the `SID.Value` field is mapped to the `entity.user.windows_sid` UDM field. Else, if the `objectSid` log field value is not empty, then the `objectSid` field is mapped to the `entity.user.windows_sid` UDM field. If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Manager` log field value is not empty, then if Manager matches the regular expression pattern `(S-\d-(\d+-){1,14}\d+)`, then the `Manager` log field is mapped to the `entity.user.managers.windows_sid` UDM field. Else, the `Manager` log field is mapped to the `entity.user.managers.userid` UDM field.
	`relations.relationship`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MemberOf` log field value is not empty, then for index in `MemberOf`, the `relations.relationship` UDM field is set to `MEMBER`. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `ManagedBy` log field value is not empty, then the `relations.relationship` UDM field is set to `ADMINISTERS`. If the `PrimaryGroup` log field value is not empty, then `group_name` is extracted from the `PrimaryGroup` log field using a Grok pattern, if the `group_name` extracted field value is not empty, then the `relations.relationship` UDM field is set to `MEMBER`.
	`relations.entity.group.group_display_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MemberOf` log field value is not empty, then for index in `MemberOf`, `group_name` is extracted from the `index` using a Grok pattern and mapped to the `relations.entity.group.group_display_name` UDM field. If the `PrimaryGroup` log field value is not empty, then `group_name` is extracted from the `PrimaryGroup` log field using a Grok pattern and mapped to the `relations.entity.group.group_display_name` UDM field.
	`relations.entity_type`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MemberOf` log field value is not empty, then for index in `MemberOf`, the `relations.entity_type` UDM field is set to `GROUP`. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `ManagedBy` log field value is not empty, then the `relations.entity_type` UDM field is set to `ASSET`. If the `PrimaryGroup` log field value is not empty, then `group_name` is extracted from the `PrimaryGroup` log field using a Grok pattern, if the `group_name` extracted field value is not empty, then the `relations.entity_type` UDM field is set to `GROUP`.
	`relations.direction`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MemberOf` log field value is not empty, then for index in `MemberOf`, the `relations.direction` UDM field is set to `UNIDIRECTIONAL`. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `ManagedBy` log field value is not empty, then the `relations.direction` UDM field is set to `UNIDIRECTIONAL`. If the `PrimaryGroup` log field value is not empty, then `group_name` is extracted from the `PrimaryGroup` log field using a Grok pattern, if the `group_name` extracted field value is not empty, then the `relations.direction` UDM field is set to `UNIDIRECTIONAL`.
	`relations.entity.user.user_display_name`	If the `ObjectClass` log field value is equal to `computer`, then if the `ManagedBy` log field value is not empty, then `user_name` is extracted from the `ManagedBy` log field using a Grok pattern and mapped to the `relations.entity.user.user_display_name` UDM field.
`proxyAddresses`	`entity.user.group_identifiers`	If the `ObjectClass` log field value is equal to `user` or is empty, then for index in `proxyAddresses` the `index` is mapped to `entity.user.group_identifiers` UDM field.
	`entity.user.attribute.labels[Bad Password Count]`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `badPwdCount` log field value is not empty, then the `entity.user.attribute.labels.key` UDM field is set to `Bad Password Count` and the `badPwdCount` log field is mapped to the `entity.user.attribute.labels.value` UDM field.
`LastBadPasswordAttempt`	`entity.user.last_bad_password_attempt_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `LastBadPasswordAttempt` log field value is not empty, then `last_bad_password_attempt` is extracted from the `LastBadPasswordAttempt` log field using a Grok pattern and mapped to the `entity.user.last_bad_password_attempt_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then `last_bad_password_attempt` is extracted from the `LastBadPasswordAttempt` log field using a Grok pattern and mapped to the `entity.user.last_bad_password_attempt_time` UDM field.
`AccountExpirationDate`	`entity.user.account_expiration_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `AccountExpirationDate` log field value is not empty, then `account_expiration_date` is extracted from the `AccountExpirationDate` log field using a Grok pattern and mapped to the `entity.user.account_expiration_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `AccountExpirationDate` log field value is not empty, then `account_expiration_date` is extracted from the `AccountExpirationDate` log field using a Grok pattern and mapped to the `entity.user.account_expiration_time` UDM field.
`PasswordLastSet`	`entity.user.last_password_change_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `PasswordLastSet` log field value is not empty, then `password_last_set` is extracted from the `PasswordLastSet` log field using a Grok pattern and mapped to the `entity.user.last_password_change_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `PasswordLastSet` log field value is not empty, then `password_last_set` is extracted from the `PasswordLastSet` log field using a Grok pattern and mapped to the `entity.user.last_password_change_time` UDM field.
`PasswordNotRequired`	`entity.user.attribute.labels[Password Not Required]`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `PasswordNotRequired` log field value is not empty, then the `PasswordNotRequired` log field is mapped to the `entity.user.attribute.labels.value` UDM field. If the `ObjectClass` log field value is equal to `computer`, then if the `PasswordNotRequired` log field value is not empty, then the `PasswordNotRequired` log field is mapped to the `entity.asset.attribute.labels.value` UDM field.
`ServicePrincipalNames`	`entity.user.attribute.labels[Service Principal Names]`	If the `ObjectClass` log field value is equal to `user` or is empty, then if `ServicePrincipalNames` log field value is not empty, then for index in `ServicePrincipalNames` the `index` is mapped to the `entity.user.attribute.labels.value` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if `ServicePrincipalNames` log field value is not empty, then for index in `ServicePrincipalNames`, if `index` is equal to 0, then the `index` is mapped to the `entity.user.attribute.labels.value` UDM field.
`AccountLockoutTime`	`entity.user.account_lockout_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `AccountLockoutTime` log field value is not empty, then `account_lockout_time` is extracted from the `AccountLockoutTime` log field using a Grok pattern and mapped to the `entity.user.account_lockout_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `AccountLockoutTime` log field value is not empty, then `account_lockout_time` is extracted from the `AccountLockoutTime` log field using a Grok pattern and mapped to the `entity.user.account_lockout_time` UDM field.
`whenChanged`	`entity.asset.attribute.last_update_time`	If the `ObjectClass` log field value is equal to `computer`, then `when_changed` is extracted from the `whenChanged` log field using a Grok pattern, if `whenChanged` is not empty, then `when_changed` is mapped to the `entity.asset.attribute.last_update_time` UDM field. Else, `timestamp` and `timezone` is extracted from `whenChanged` log field using a Grok pattern and `tz_left` and `tz_right` is extracted from the `timezone` using a Grok pattern and `timestamp tz_left tz_right` is mapped to `entity.asset.attribute.creation_time` UDM field.
`DNSHostName`	`entity.asset.hostname`	If the `ObjectClass` log field value is equal to `computer`, then if the `DNSHostName` log field value is not empty, then the `DNSHostName` log field is mapped to the `entity.asset.hostname` UDM field.
`countryCode`	`entity.asset.location.country_or_region`	If the `ObjectClass` log field value is equal to `computer`, then if the `countryCode` log field value is not empty, then the `countryCode` log field is mapped to the `entity.asset.location.country_or_region` UDM field.
	`entity.asset.platform_software.platform`	If the `ObjectClass` log field value is equal to `computer`, then if the `OperatingSystem` log field value is not empty, then if the `OperatingSystem` log field value matches the regular expression pattern `(?i)windows`, then the `entity.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `OperatingSystem` log field value matches the regular expression pattern `(?i)mac` or the `OperatingSystem` log field value matches the regular expression pattern `(?i)osx`, then the `entity.asset.platform_software.platform` UDM field is set to `MAC`. Else, if the `OperatingSystem` log field value matches the regular expression pattern `(?i)linux`, then the `entity.asset.platform_software.platform` UDM field is set to `LINUX`.
`OperatingSystemVersion`	`entity.asset.platform_software.platform_version`	If the `ObjectClass` log field value is equal to `computer`, then if the `OperatingSystem` log field value is not empty, then if the `OperatingSystemVersion` log field value is not empty, then `OperatingSystem - OperatingSystemVersion` is mapped to the `entity.asset.platform_software.platform_version` UDM field. Else if the `OperatingSystemVersion` log field value is not empty, then the `OperatingSystemVersion` log field is mapped to the `entity.asset.platform_software.platform_version` UDM field.
`OperatingSystemServicePack`	`entity.asset.platform_software.platform_patch_level`	If the `ObjectClass` log field value is equal to `computer`, then if the `OperatingSystemServicePack` log field value is not empty, then the `OperatingSystemServicePack` log field is mapped to the `entity.asset.platform_software.platform_patch_level` UDM field.
`IPv4Address`	`entity.asset.ip`	If the `ObjectClass` log field value is equal to `computer`, then if the `IPv4Address` log field value is not empty, then the `IPv4Address` log field is mapped to the `entity.asset.ip` UDM field.
`IPv6Address`	`entity.asset.ip`	If the `ObjectClass` log field value is equal to `computer`, then if the `IPv6Address` log field value is not empty, then the `IPv6Address` log field is mapped to the `entity.asset.ip` UDM field.
`Location`	`entity.asset.location.name`	If the `ObjectClass` log field value is equal to `computer`, then if the `Location` log field value is not empty, then the `Location` log field is mapped to the `entity.asset.location.name` UDM field.
`ObjectCategory`	`entity.asset.category`	If the `ObjectClass` log field value is equal to `computer`, then if the `ObjectCategory` log field value is not empty, then `object_category` is extracted from the `ObjectCategory` log field using a Grok pattern, and mapped to the `entity.asset.category` UDM field.
`PasswordExpired`	`entity.asset.attribute.labels[Password Expired]`	If the `ObjectClass` log field value is equal to `computer`, then if the `PasswordExpired` log field value is not empty, then the `PasswordExpired` log field is mapped to the `entity.asset.attribute.labels.value` UDM field. If the `ObjectClass` log field value is equal to `user` or is empty, then if the `PasswordExpired` log field value is not empty, then the `PasswordExpired` log field is mapped to the `entity.user.attribute.labels.value` UDM field.
`PasswordNeverExpires`	`entity.asset.attribute.labels[Password Never Expires]`	If the `ObjectClass` log field value is equal to `computer`, then if the `PasswordNeverExpires` log field value is not empty, then the `PasswordNeverExpires` log field is mapped to the `entity.asset.attribute.labels.value` UDM field. If the `ObjectClass` log field value is equal to `user` or is empty, then if the `PasswordNeverExpires` log field value is not empty, then the `PasswordNeverExpires` log field is mapped to the `entity.user.attribute.labels.value` UDM field.
	`entity.user.attribute.labels[Last Logon]`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `lastLogon` log field value is not equal to `0`, then the `entity.user.attribute.labels.key` UDM field is set to `Last Logon` and the `lastLogon` log field is mapped to the `entity.user.attribute.labels.value` UDM field. If the `ObjectClass` log field value is equal to `computer`, then if the `lastLogon` log field value is not equal to `0`, then the `entity.asset.attribute.labels.key` UDM field is set to `Last Logon` and the `lastLogon` log field is mapped to the `entity.asset.attribute.labels.value` UDM field.
`lastLogoff`	`entity.asset.attribute.labels[Last Logoff]`	If the `ObjectClass` log field value is equal to `computer`, then if the `lastLogoff` log field value does not contain one of the following values, then the `lastLogoff` log field is mapped to the `entity.asset.attribute.labels.value` UDM field. `"0"` `0` .
`LastLogonDate`	`entity.user.last_login_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `LastLogonDate` log field value is not empty, then `last_logon_date` is extracted from the `LastLogonDate` log field using a Grok pattern, and mapped to the `entity.user.last_login_time` UDM field. Else if the `ObjectClass` log field value is equal to `computer`,then if the `LastLogonDate` log field value is not empty, then `last_logon_date` is extracted from the `LastLogonDate` log field using a Grok pattern, and mapped to the `entity.user.last_login_time` UDM field.
`HomePage`	`entity.url`	If the `HomePage` log field value is not empty, then the `HomePage` log field is mapped to the `entity.url` UDM field.
	`entity.administrative_domain`	If the `CanonicalName` log field value is not empty, then `domain_name` is extracted from the `CanonicalName` log field using a Grok pattern, and mapped to the `entity.administrative_domain` UDM field.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Microsoft`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Windows Active Directory`.
`Description`	`metadata.description`	The `Description` log field is mapped to the `metadata.description` UDM field.

Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten