Collecter des données Microsoft Windows AD
Ce document inclut les informations suivantes:
- Architecture de déploiement et étapes d'installation, ainsi que toute configuration requise qui produit des journaux compatibles avec l'analyseur Google Security Operations pour les événements Microsoft Windows Active Directory. Pour en savoir plus sur l'ingestion de données Google Security Operations, consultez Ingestion de données dans Google Security Operations.
- Informations sur la façon dont l'analyseur met en correspondance les champs du journal d'origine avec les champs du modèle de données unifié de Google Security Operations.
En fonction de votre architecture de déploiement, configurez l'agent BindPlane ou l'agent NXLog pour ingèrer les journaux Microsoft Windows Active Directory dans Google Security Operations. Nous vous recommandons d'utiliser l'agent BindPlane pour transférer les journaux d'Active Directory Windows vers Google Security Operations.
Les informations de ce document s'appliquent à l'analyseur avec le libellé d'ingestion WINDOWS_AD. Le libellé d'ingestion identifie l'analyseur qui normalise les données de journal brutes au format UDM structuré.
Avant de commencer
Avant de configurer l'agent BindPlane ou l'agent NXLog, effectuez les tâches suivantes:
- Configurez tous les systèmes pour qu'ils utilisent le fuseau horaire UTC.
- Configurer des serveurs Microsoft Windows AD
- Consultez les appareils et versions compatibles.
- Consultez les types de journaux compatibles.
Configurer les serveurs Microsoft Windows AD
Sur chaque serveur Microsoft Windows Active Directory, créez et configurez un script PowerShell pour enregistrer les données de journal dans un fichier de sortie. L'agent BindPlane ou NXLog lit le fichier de sortie.
# Set the location where the log file will be written $OUTPUT_FILENAME="<Path_of_the_output_file>" If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue} # USER_CONTEXT: Gets all Active Directory users and their properties. Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append } # ASSET_CONTEXT: Gets all Active Directory assets and their properties. Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }
Remplacez les éléments suivants :
- Remplacez la valeur de
$OUTPUT_FILENAME
par l'emplacement du fichier de sortie. - Stockez les données au format JSON.
- Définissez l'encodage sur UTF-8.
- Utilisez le paramètre
-Filter
plutôt que le paramètre-LDAPFilter
lorsque vous appelez les cmdletsGet-ADUser
etGet-ADComputer
.
- Remplacez la valeur de
Créez une tâche récurrente qui exécute le script pour extraire et écrire des données dans le fichier de sortie.
- Ouvrez l'application Planificateur de tâches.
- Cliquez sur Créer une tâche.
- Saisissez un nom et une description pour la tâche.
- Cochez la case Exécuter avec les droits d'accès les plus élevés pour vous assurer que toutes les données sont récupérées.
- Dans l'onglet Déclencheurs, définissez quand vous souhaitez répéter la tâche.
- Dans l'onglet Action, ajoutez une action et indiquez le chemin d'accès au fichier où le script est stocké.
Vérifier les versions et appareils compatibles
Microsoft Windows Server est disponible dans les éditions suivantes: Foundation, Essentials, Standard et Datacenter. Le schéma d'événements des journaux générés par chaque édition ne diffère pas.
L'analyseur Google Security Operations est compatible avec les journaux des versions de serveur Microsoft Windows suivantes:
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
L'analyseur Google Security Operations est compatible avec les journaux collectés par NXLog Community Edition ou Enterprise Edition.
Examiner les types de journaux compatibles
L'analyseur Google Security Operations analyse et normalise les données récupérées à partir du contexte utilisateur et du contexte de l'asset. Il est compatible avec les journaux générés en anglais, mais pas avec ceux générés dans d'autres langues.
Configurer l'agent BindPlane
Nous vous recommandons d'utiliser l'agent BindPlane pour transférer les journaux d'Active Directory Windows vers Google Security Operations.
Après l'installation, le service de l'agent BindPlane apparaît sous le nom de service observIQ
dans la liste des services Windows.
- Installez l'agent BindPlane sur chaque serveur Windows Active Directory. Pour en savoir plus sur l'installation de l'agent BindPlane, consultez les instructions d'installation de l'agent BindPlane.
Créez un fichier de configuration pour l'agent BindPlane avec le contenu suivant.
receivers: filelog: include: [ `FILE_PATH` ] operators: - type: json_parser start_at: beginning windowseventlog/activedirectoryservice: channel: Directory Service raw: true processors: batch: exporters: chronicle/activedirectory: endpoint: https://malachiteingestion-pa.googleapis.com creds: '{ "type": "service_account", "project_id": "malachite-projectname", "private_key_id": `PRIVATE_KEY_ID`, "private_key": `PRIVATE_KEY`, "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com", "client_id": `CLIENT_ID`, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }' log_type: 'WINDOWS_AD' override_log_type: false raw_log_field: body customer_id: `CUSTOMER_ID` service: pipelines: logs/ads: receivers: - filelog - windowseventlog/activedirectoryservice processors: [batch] exporters: [chronicle/activedirectory]
Remplacez les éléments suivants :
FILE_PATH
avec le chemin d'accès au fichier dans lequel la sortie du script PowerShell mentionné dans la section Configurer des serveurs AD Microsoft Windows a été stockée.PRIVATE_KEY_ID
,PRIVATE_KEY
SERVICSERVICE_ACCOUNT_NAME
,PROJECT_ID
,CLIENT_ID
etCUSTOMER_ID
avec les valeurs respectives du fichier JSON du compte de service que vous pouvez télécharger sur Google Cloud. Pour en savoir plus sur les clés de compte de service, consultez la page Créer et supprimer des clés de compte de service.
Pour démarrer le service d'agent observIQ, sélectionnez Services > Étendu > le service observIQ > démarrer.
Configurer NXLog
Le schéma suivant illustre une architecture dans laquelle des agents NXLog sont installés pour collecter et envoyer des événements Microsoft Windows à Google Security Operations. Comparez ces informations à votre environnement pour vous assurer que ces composants sont installés. Votre déploiement peut être différent de cette architecture et peut être plus complexe.
Si vous utilisez l'agent NXLog au lieu de l'agent BindPlane, vérifiez les points suivants:
- Un script PowerShell est créé et configuré sur chaque serveur Microsoft Windows qui exécute Active Directory pour collecter les données
USER_CONTEXT
etASSET_CONTEXT
. Pour en savoir plus, consultez Configurer des serveurs Microsoft Windows AD. - NXLog est installé sur chaque serveur Microsoft Windows AD pour envoyer des données au serveur Linux ou Microsoft Windows Server central.
- Le transfert Google Security Operations est installé sur le serveur Linux ou Microsoft Windows Server central pour transférer les données de journalisation vers Google Security Operations.
Configurer NXLog
- Installez l'agent NXLog sur chaque collecteur exécuté sur le serveur Windows Active Directory. Cette application transfère les journaux vers le serveur Microsoft Windows ou Linux central. Pour en savoir plus, consultez la documentation NXLog.
Créez un fichier de configuration pour chaque instance NXLog. Utilisez le module
im_file
de NXLog pour lire le fichier et analyser les lignes en champs. Utilisezom_tcp
pour transférer les données vers le serveur Microsoft Windows ou Linux central.Voici un exemple de configuration NXLog. Remplacez les valeurs
<hostname>
et<port>
par des informations sur le serveur Microsoft Windows ou Linux central de destination. Dans la section<Input in_adcontext>
et la propriétéFile
, ajoutez le chemin d'accès au fichier journal de sortie écrit par le script PowerShell. Définissez toujoursDirCheckInterval
etPollInterval
. Si ces valeurs ne sont pas définies, NXLog interroge les fichiers toutes les secondes.define ROOT C:\Program Files\nxlog define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <hostname> define ADCONTEXT_OUTPUT_DESTINATION_PORT <port> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Input in_adcontext> Module im_file File "<Path_of_the_output_file>" DirCheckInterval 3600 PollInterval 3600 </Input> <Output out_chronicle_adcontext> Module om_tcp Host %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS% Port %ADCONTEXT_OUTPUT_DESTINATION_PORT% </Output> <Route ad_context_to_chronicle> Path in_adcontext => out_chronicle_adcontext </Route>
Démarrez le service NXLog dans chaque système.
Configurer le redirecteur sur un serveur central
Pour en savoir plus sur l'installation et la configuration du redirecteur sous Linux, consultez Installer et configurer le redirecteur sous Linux. Pour en savoir plus sur l'installation et la configuration du forwarder sur Microsoft Windows, consultez Installer et configurer le forwarder sur Microsoft Windows.
- Configurez le système avec le fuseau horaire UTC.
- Installez le redirecteur Google Security Operations sur le serveur central Microsoft Windows ou Linux.
Configurez le transfert Google Security Operations pour envoyer des journaux à Google Security Operations. Voici un exemple de configuration de forwarder:
- syslog: common: enabled: true data_type: WINDOWS_AD batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Référence de mappage de champ: champs de journal de l'appareil vers les champs UDM
Cette section explique comment l'analyseur mappe les champs de journal d'origine aux champs du modèle de données unifié.
Référence de mappage de champ: WINDOWS_AD
Le tableau suivant répertorie les champs de journal du type de journal WINDOWS_AD
et les champs UDM correspondants.
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.entity_type |
If the ObjectClass log field value is equal to user or is empty, then the metadata.entity_type UDM field is set to USER . Else, if the ObjectClass log field value is equal to computer , then the metadata.entity_type UDM field is set to ASSET . |
ObjectGuid |
entity.user.product_object_id |
If the ObjectClass log field value is equal to user or is empty, then if the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.user.product_object_id UDM field. Else, if the ObjectClass log field value is equal to computer , then if the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.asset.product_object_id UDM field. |
whenCreated |
metadata.creation_timestamp |
If the ObjectClass log field value is equal to user or is empty, then if the whenCreated log field value is not empty, then when_created is extracted from the whenCreated log field using a Grok pattern, and mapped to the entity.asset.attribute.creation_time UDM field. Else, if the ObjectClass log field value is equal to computer , then if the whenCreated log field value is not empty, then when_created is extracted from the whenCreated log field using a Grok pattern, and mapped to the metadata.creation_timestamp UDM field. Else, timestamp tz_left tz_right is extracted from the whenCreated log field using a Grok pattern, and mapped to the entity.asset.attribute.creation_time UDM field. |
DisplayName |
entity.user.user_display_name |
If the ObjectClass log field value is equal to user or is empty, then if the DisplayName log field value is not empty, then the DisplayName log field is mapped to the entity.user.user_display_name UDM field. |
GivenName |
entity.user.first_name |
If the ObjectClass log field value is equal to user or is empty, then if the GivenName log field value is not empty, then the GivenName log field is mapped to the entity.user.first_name UDM field. |
SamAccountName |
entity.user.userid |
If the ObjectClass log field value is equal to user or is empty, then if the SamAccountName log field value is not empty, then the SamAccountName log field is mapped to the entity.user.userid UDM field. If the ObjectClass log field value is equal to computer , then the SamAccountName log field is mapped to the entity.asset.asset_id UDM field. |
EmployeeID |
entity.user.employee_id |
If the EmployeeID log field value is not empty, then the EmployeeID log field is mapped to the entity.user.employee_id UDM field.Else the employeeID.0 log field is mapped to the entity.user.employee_id UDM field. |
Title |
entity.user.title |
If the Title log field value is not empty, then the Title log field is mapped to the entity.user.title UDM field. |
Surname |
entity.user.last_name |
If the ObjectClass log field value is equal to user or is empty, then if the Surname log field value is not empty, then if the sn log field is mapped to the entity.user.last_name UDM field. Else if Surname log field value is not empty, then the Surname log field is mapped to the entity.user.last_name UDM field. |
Company |
entity.user.company_name |
If the ObjectClass log field value is equal to user or is empty, then if the Company log field value is not empty, then the Company log field is mapped to the entity.user.company_name UDM field. |
City |
entity.user.personal_address.city |
If the ObjectClass log field value is equal to user or is empty, then if the City log field value is not empty, then the City log field is mapped to the entity.user.personal_address.city UDM field. |
Department |
entity.user.department |
If the ObjectClass log field value is equal to user or is empty, then if the Department log field value is not empty, then the Department log field is mapped to the entity.user.department UDM field. |
|
entity.user.email_addresses |
If the ObjectClass log field value is equal to user or is empty, then if the EmailAddress log field value is not empty, then the EmailAddress log field is mapped to the entity.user.email_addresses UDM field. Else, if the mail log field value is not empty, then the mail log field is mapped to the entity.user.email_addresses UDM field. |
HomePhone |
entity.user.phone_numbers |
If the ObjectClass log field value is equal to user or is empty, then if the HomePhone log field value is not empty, then the HomePhone log field is mapped to the entity.user.phone_numbers UDM field. Else if the telephoneNumber log field value is not empty, then the telephoneNumber log field is mapped to the entity.user.phone_numbers UDM field.
If the ObjectClass log field value is equal to user or is empty, then if the MobilePhone log field value is not empty, then the MobilePhone log field is mapped to the entity.user.phone_numbers UDM field. |
StreetAddress |
entity.user.personal_address.name |
If the ObjectClass log field value is equal to user or is empty, then if the StreetAddress log field value is not empty, then the StreetAddress log field is mapped to the entity.user.personal_address.name UDM field. |
State |
entity.user.personal_address.state |
If the ObjectClass log field value is equal to user or is empty, then if the State log field value is not empty, then the State log field is mapped to the entity.user.personal_address.state UDM field. |
Country |
entity.user.personal_address.country_or_region |
If the ObjectClass log field value is equal to user or is empty, then if the Country log field value is not empty, then the Country log field is mapped to the entity.user.personal_address.country_or_region UDM field. |
Office |
entity.user.office_address.name |
If the ObjectClass log field value is equal to user or is empty, then if the Office log field value is not empty, then the Office log field is mapped to the entity.user.office_address.name UDM field. |
HomeDirectory |
entity.file.full_path |
If the ObjectClass log field value is equal to user or is empty, then if the HomeDirectory log field value is not empty, then the HomeDirectory log field is mapped to the entity.file.full_path UDM field. |
|
entity.user.managers.user_display_name |
If the ObjectClass log field value is equal to user or is empty, then if the Manager log field value is not empty, then manager_name is extracted from the Manager log field using a Grok pattern, and mapped to the entity.user.managers.user_display_name UDM field. |
|
entity.user.windows_sid |
If the SID.Value log field value is not empty, then the SID.Value field is mapped to the entity.user.windows_sid UDM field.Else, if the objectSid log field value is not empty, then the objectSid field is mapped to the entity.user.windows_sid UDM field.If the ObjectClass log field value is equal to user or is empty, then if the Manager log field value is not empty, then if Manager matches the regular expression pattern (S-\d-(\d+-){1,14}\d+) , then the Manager log field is mapped to the entity.user.managers.windows_sid UDM field. Else, the Manager log field is mapped to the entity.user.managers.userid UDM field. |
|
relations.relationship |
If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf , the relations.relationship UDM field is set to MEMBER . Else, if the ObjectClass log field value is equal to computer , then if the ManagedBy log field value is not empty, then the relations.relationship UDM field is set to ADMINISTERS .If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.relationship UDM field is set to MEMBER . |
|
relations.entity.group.group_display_name |
If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf , group_name is extracted from the index using a Grok pattern and mapped to the relations.entity.group.group_display_name UDM field. If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern and mapped to the relations.entity.group.group_display_name UDM field. |
|
relations.entity_type |
If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf , the relations.entity_type UDM field is set to GROUP . Else, if the ObjectClass log field value is equal to computer , then if the ManagedBy log field value is not empty, then the relations.entity_type UDM field is set to ASSET .If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.entity_type UDM field is set to GROUP . |
|
relations.direction |
If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf , the relations.direction UDM field is set to UNIDIRECTIONAL . Else, if the ObjectClass log field value is equal to computer , then if the ManagedBy log field value is not empty, then the relations.direction UDM field is set to UNIDIRECTIONAL .If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.direction UDM field is set to UNIDIRECTIONAL . |
|
relations.entity.user.user_display_name |
If the ObjectClass log field value is equal to computer , then if the ManagedBy log field value is not empty, then user_name is extracted from the ManagedBy log field using a Grok pattern and mapped to the relations.entity.user.user_display_name UDM field. |
proxyAddresses |
entity.user.group_identifiers |
If the ObjectClass log field value is equal to user or is empty, then for index in proxyAddresses the index is mapped to entity.user.group_identifiers UDM field. |
|
entity.user.attribute.labels[Bad Password Count] |
If the ObjectClass log field value is equal to user or is empty, then if the badPwdCount log field value is not empty, then the entity.user.attribute.labels.key UDM field is set to Bad Password Count and the badPwdCount log field is mapped to the entity.user.attribute.labels.value UDM field. |
LastBadPasswordAttempt |
entity.user.last_bad_password_attempt_time |
If the ObjectClass log field value is equal to user or is empty, then if the LastBadPasswordAttempt log field value is not empty, then last_bad_password_attempt is extracted from the LastBadPasswordAttempt log field using a Grok pattern and mapped to the entity.user.last_bad_password_attempt_time UDM field. Else, if the ObjectClass log field value is equal to computer , then last_bad_password_attempt is extracted from the LastBadPasswordAttempt log field using a Grok pattern and mapped to the entity.user.last_bad_password_attempt_time UDM field. |
AccountExpirationDate |
entity.user.account_expiration_time |
If the ObjectClass log field value is equal to user or is empty, then if the AccountExpirationDate log field value is not empty, then account_expiration_date is extracted from the AccountExpirationDate log field using a Grok pattern and mapped to the entity.user.account_expiration_time UDM field. Else, if the ObjectClass log field value is equal to computer , then if the AccountExpirationDate log field value is not empty, then account_expiration_date is extracted from the AccountExpirationDate log field using a Grok pattern and mapped to the entity.user.account_expiration_time UDM field. |
PasswordLastSet |
entity.user.last_password_change_time |
If the ObjectClass log field value is equal to user or is empty, then if the PasswordLastSet log field value is not empty, then password_last_set is extracted from the PasswordLastSet log field using a Grok pattern and mapped to the entity.user.last_password_change_time UDM field. Else, if the ObjectClass log field value is equal to computer , then if the PasswordLastSet log field value is not empty, then password_last_set is extracted from the PasswordLastSet log field using a Grok pattern and mapped to the entity.user.last_password_change_time UDM field. |
PasswordNotRequired |
entity.user.attribute.labels[Password Not Required] |
If the ObjectClass log field value is equal to user or is empty, then if the PasswordNotRequired log field value is not empty, then the PasswordNotRequired log field is mapped to the entity.user.attribute.labels.value UDM field. If the ObjectClass log field value is equal to computer , then if the PasswordNotRequired log field value is not empty, then the PasswordNotRequired log field is mapped to the entity.asset.attribute.labels.value UDM field. |
ServicePrincipalNames |
entity.user.attribute.labels[Service Principal Names] |
If the ObjectClass log field value is equal to user or is empty, then if ServicePrincipalNames log field value is not empty, then for index in ServicePrincipalNames the index is mapped to the entity.user.attribute.labels.value UDM field.Else, if the ObjectClass log field value is equal to computer , then if ServicePrincipalNames log field value is not empty, then for index in ServicePrincipalNames , if index is equal to 0, then the index is mapped to the entity.user.attribute.labels.value UDM field. |
AccountLockoutTime |
entity.user.account_lockout_time |
If the ObjectClass log field value is equal to user or is empty, then if the AccountLockoutTime log field value is not empty, then account_lockout_time is extracted from the AccountLockoutTime log field using a Grok pattern and mapped to the entity.user.account_lockout_time UDM field. Else, if the ObjectClass log field value is equal to computer , then if the AccountLockoutTime log field value is not empty, then account_lockout_time is extracted from the AccountLockoutTime log field using a Grok pattern and mapped to the entity.user.account_lockout_time UDM field. |
whenChanged |
entity.asset.attribute.last_update_time |
If the ObjectClass log field value is equal to computer , then when_changed is extracted from the whenChanged log field using a Grok pattern, if whenChanged is not empty, then when_changed is mapped to the entity.asset.attribute.last_update_time UDM field.Else, timestamp and timezone is extracted from whenChanged log field using a Grok pattern and tz_left and tz_right is extracted from the timezone using a Grok pattern and timestamp tz_left tz_right is mapped to entity.asset.attribute.creation_time UDM field. |
DNSHostName |
entity.asset.hostname |
If the ObjectClass log field value is equal to computer , then if the DNSHostName log field value is not empty, then the DNSHostName log field is mapped to the entity.asset.hostname UDM field. |
countryCode |
entity.asset.location.country_or_region |
If the ObjectClass log field value is equal to computer , then if the countryCode log field value is not empty, then the countryCode log field is mapped to the entity.asset.location.country_or_region UDM field. |
|
entity.asset.platform_software.platform |
If the ObjectClass log field value is equal to computer , then if the OperatingSystem log field value is not empty, then if the OperatingSystem log field value matches the regular expression pattern (?i)windows , then the entity.asset.platform_software.platform UDM field is set to WINDOWS .Else, if the OperatingSystem log field value matches the regular expression pattern (?i)mac or the OperatingSystem log field value matches the regular expression pattern (?i)osx , then the entity.asset.platform_software.platform UDM field is set to MAC .Else, if the OperatingSystem log field value matches the regular expression pattern (?i)linux , then the entity.asset.platform_software.platform UDM field is set to LINUX . |
OperatingSystemVersion |
entity.asset.platform_software.platform_version |
If the ObjectClass log field value is equal to computer , then if the OperatingSystem log field value is not empty, then if the OperatingSystemVersion log field value is not empty, then OperatingSystem - OperatingSystemVersion is mapped to the entity.asset.platform_software.platform_version UDM field.Else if the OperatingSystemVersion log field value is not empty, then the OperatingSystemVersion log field is mapped to the entity.asset.platform_software.platform_version UDM field. |
OperatingSystemServicePack |
entity.asset.platform_software.platform_patch_level |
If the ObjectClass log field value is equal to computer , then if the OperatingSystemServicePack log field value is not empty, then the OperatingSystemServicePack log field is mapped to the entity.asset.platform_software.platform_patch_level UDM field. |
IPv4Address |
entity.asset.ip |
If the ObjectClass log field value is equal to computer , then if the IPv4Address log field value is not empty, then the IPv4Address log field is mapped to the entity.asset.ip UDM field. |
IPv6Address |
entity.asset.ip |
If the ObjectClass log field value is equal to computer , then if the IPv6Address log field value is not empty, then the IPv6Address log field is mapped to the entity.asset.ip UDM field. |
Location |
entity.asset.location.name |
If the ObjectClass log field value is equal to computer , then if the Location log field value is not empty, then the Location log field is mapped to the entity.asset.location.name UDM field. |
ObjectCategory |
entity.asset.category |
If the ObjectClass log field value is equal to computer , then if the ObjectCategory log field value is not empty, then object_category is extracted from the ObjectCategory log field using a Grok pattern, and mapped to the entity.asset.category UDM field. |
PasswordExpired |
entity.asset.attribute.labels[Password Expired] |
If the ObjectClass log field value is equal to computer , then if the PasswordExpired log field value is not empty, then the PasswordExpired log field is mapped to the entity.asset.attribute.labels.value UDM field.If the ObjectClass log field value is equal to user or is empty, then if the PasswordExpired log field value is not empty, then the PasswordExpired log field is mapped to the entity.user.attribute.labels.value UDM field. |
PasswordNeverExpires |
entity.asset.attribute.labels[Password Never Expires] |
If the ObjectClass log field value is equal to computer , then if the PasswordNeverExpires log field value is not empty, then the PasswordNeverExpires log field is mapped to the entity.asset.attribute.labels.value UDM field.If the ObjectClass log field value is equal to user or is empty, then if the PasswordNeverExpires log field value is not empty, then the PasswordNeverExpires log field is mapped to the entity.user.attribute.labels.value UDM field. |
|
entity.user.attribute.labels[Last Logon] |
If the ObjectClass log field value is equal to user or is empty, then if the lastLogon log field value is not equal to 0 , then the entity.user.attribute.labels.key UDM field is set to Last Logon and the lastLogon log field is mapped to the entity.user.attribute.labels.value UDM field. If the ObjectClass log field value is equal to computer , then if the lastLogon log field value is not equal to 0 , then the entity.asset.attribute.labels.key UDM field is set to Last Logon and the lastLogon log field is mapped to the entity.asset.attribute.labels.value UDM field. |
lastLogoff |
entity.asset.attribute.labels[Last Logoff] |
If the ObjectClass log field value is equal to computer , then if the lastLogoff log field value does not contain one of the following values, then the lastLogoff log field is mapped to the entity.asset.attribute.labels.value UDM field.
|
LastLogonDate |
entity.user.last_login_time |
If the ObjectClass log field value is equal to user or is empty, then if the LastLogonDate log field value is not empty, then last_logon_date is extracted from the LastLogonDate log field using a Grok pattern, and mapped to the entity.user.last_login_time UDM field.Else if the ObjectClass log field value is equal to computer ,then if the LastLogonDate log field value is not empty, then last_logon_date is extracted from the LastLogonDate log field using a Grok pattern, and mapped to the entity.user.last_login_time UDM field. |
HomePage |
entity.url |
If the HomePage log field value is not empty, then the HomePage log field is mapped to the entity.url UDM field. |
|
entity.administrative_domain |
If the CanonicalName log field value is not empty, then domain_name is extracted from the CanonicalName log field using a Grok pattern, and mapped to the entity.administrative_domain UDM field. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Microsoft . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Windows Active Directory . |
Description |
metadata.description |
The Description log field is mapped to the metadata.description UDM field. |
Vous avez encore besoin d'aide ? Obtenez des réponses de membres de la communauté et de professionnels Google SecOps.