Coletar dados do Microsoft Windows AD

Compatível com:

Este documento inclui as seguintes informações:

  • Arquitetura de implantação e etapas de instalação, além de qualquer configuração necessária que produza registros com suporte do analisador do Google Security Operations para eventos do Microsoft Windows Active Directory. Para uma visão geral da ingestão de dados do Google Security Operations, consulte Ingestão de dados para o Google Security Operations.
  • Informações sobre como o analisador mapeia campos no registro original para os campos do modelo de dados unificado do Google Security Operations.

Com base na arquitetura de implantação, configure o agente Bindplane ou o NXLog para transferir os registros do Microsoft Windows Active Directory para as Operações de segurança do Google. Recomendamos o uso do Bindplane Agent para encaminhar os registros do Active Directory do Windows para o Google Security Operations.

As informações neste documento se aplicam ao analisador com o rótulo de transferência WINDOWS_AD. O rótulo de transferência identifica qual analisador normaliza os dados de registro brutos para o formato estruturado do UDM.

Antes de começar

Antes de configurar o agente Bindplane ou o NXLog Agent, conclua as seguintes tarefas:

Configurar servidores do Microsoft Windows AD

  1. Em cada servidor do Microsoft Windows Active Directory, crie e configure um script do PowerShell para salvar os dados de registro em um arquivo de saída. O Bindplane Agent ou o NXLog Agent lê o arquivo de saída.

    # Set the location where the log file will be written
$OUTPUT_FILENAME="<Path_of_the_output_file>"

If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue}

# USER_CONTEXT: Gets all Active Directory users and their properties.
Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }

# ASSET_CONTEXT: Gets all Active Directory assets and their properties.
Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }

  2. Substitua o seguinte :

    • Substitua o valor de $OUTPUT_FILENAME pelo local do arquivo de saída.
    • Armazenar os dados no formato JSON.
    • Defina a codificação como UTF-8.
    • Use o parâmetro -Filter em vez de -LDAPFilter ao chamar os cmdlets Get-ADUser e Get-ADComputer.

  3. Crie uma tarefa recorrente que execute o script para buscar e gravar dados no arquivo de saída.

    1. Abra o aplicativo Agendador de tarefas.
    2. Clique em Criar tarefa.
    3. Digite um nome e uma descrição para a tarefa.
    4. Marque a caixa de seleção Run with highest privileges para garantir que todos os dados sejam recuperados.
    5. Na guia Gatilhos, defina quando você quer repetir a tarefa.
    6. Na guia Ação, adicione uma nova ação e informe o caminho do arquivo em que o script está armazenado.

Analisar os dispositivos e as versões compatíveis

O Microsoft Windows Server é lançado com as seguintes edições: Foundation, Essentials, Standard e Datacenter. O esquema de eventos dos registros gerados por cada edição não é diferente.

O Analisador de operações de segurança do Google é compatível com os registros das seguintes versões do servidor Microsoft Windows:

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012

O analisador do Google Security Operations oferece suporte a registros coletados pelo NXLog Community Edition ou Enterprise Edition.

Analisar os tipos de registro aceitos

O analisador de operações de segurança do Google analisa e normaliza os dados extraídos do Contexto do usuário e do Contexto do recurso. Ele aceita registros gerados com texto em inglês, mas não em outros idiomas.

Configurar o agente do Bindplane

Recomendamos que você use o agente Bindplane para encaminhar os registros do Active Directory do Windows para as operações de segurança do Google.

Após a instalação, o serviço do agente do Bindplane aparece como o serviço observIQ na lista de serviços do Windows.

  1. Instale o agente do Bindplane em cada servidor do Windows Active Directory. Para mais informações sobre a instalação do agente do Bindplane, consulte as instruções de instalação do agente do Bindplane.

  2. Crie um arquivo de configuração para o agente do Bindplane com o seguinte conteúdo:

    receivers:
  filelog:
    include: [ `FILE_PATH` ]
    operators:
      - type: json_parser
    start_at: beginning
  windowseventlog/activedirectoryservice:
    channel: Directory Service
    raw: true
processors:
  batch:

exporters:
  chronicle/activedirectory:
    endpoint: https://malachiteingestion-pa.googleapis.com
    creds: '{
    "type": "service_account",
    "project_id": "malachite-projectname",
    "private_key_id": `PRIVATE_KEY_ID`,
    "private_key": `PRIVATE_KEY`,
    "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "client_id": `CLIENT_ID`,
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "universe_domain": "googleapis.com"
    }'
  log_type: 'WINDOWS_AD'
  override_log_type: false
  raw_log_field: body
  customer_id: `CUSTOMER_ID`

service:
  pipelines:
    logs/ads:
      receivers:
        - filelog
        - windowseventlog/activedirectoryservice
      processors: [batch]
      exporters: [chronicle/activedirectory]

  3. Substitua o seguinte :

    • FILE_PATH com o caminho do arquivo em que a saída do script do PowerShell mencionado em Configurar servidores do Microsoft Windows AD foi armazenada.

    • PRIVATE_KEY_ID, PRIVATE_KEY SERVICSERVICE_ACCOUNT_NAME,PROJECT_ID, CLIENT_ID e CUSTOMER_ID com os respectivos valores do arquivo JSON da conta de serviço, que pode ser transferido por download em Google Cloud. Para mais informações sobre chaves de conta de serviço, consulte Criar e excluir chaves de conta de serviço.

  4. Para iniciar o serviço de agente do Bindplane (anteriormente conhecido como observIQ), selecione Services > Extended > o serviço observIQ > Start.

Configurar o agente NXLog

O diagrama a seguir mostra uma arquitetura em que os agentes NXLog são instalados para coletar e enviar eventos do Microsoft Windows ao Google Security Operations. Compare essas informações com seu ambiente para garantir que esses componentes estejam instalados. Sua implantação pode ser diferente dessa arquitetura e mais complexa.

Ingestão do encaminhador NXLog.

Se você usa o agente NXLog em vez do agente Bindplane, verifique o seguinte:

  • Um script do PowerShell é criado e configurado em cada Microsoft Windows Server que executa o Active Directory para coletar dados de USER_CONTEXT e ASSET_CONTEXT. Para mais informações, consulte Configurar servidores Microsoft Windows AD.
  • O NXLog é instalado em cada servidor Microsoft Windows AD para enviar dados ao servidor central Microsoft Windows Server ou Linux.
  • O encaminhador das Operações de segurança do Google é instalado no servidor central do Microsoft Windows ou Linux para encaminhar dados de registro para as Operações de segurança do Google.

Configurar o NXLog

  1. Instale o agente NXLog em cada coletor executado no servidor do Windows Active Directory. Esse aplicativo encaminha registros para o servidor central do Microsoft Windows ou Linux. Para mais informações, consulte a documentação do NXLog.

  2. Crie um arquivo de configuração para cada instância do NXLog. Use o módulo im_file do NXLog para ler o arquivo e analisar as linhas em campos. Use om_tcp para encaminhar dados ao servidor central do Microsoft Windows ou Linux.

    Confira a seguir um exemplo de configuração do NXLog. Substitua os valores <hostname> e <port> por informações sobre o servidor central Microsoft Windows ou Linux de destino. Na seção <Input in_adcontext> e na propriedade File, adicione o caminho do arquivo de registro de saída gravado pelo script do PowerShell. Sempre defina DirCheckInterval e PollInterval. Se eles não forem definidos, o NXLog vai verificar arquivos a cada 1 segundo.

    define ROOT C:\Program Files\nxlog
define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <hostname>
define ADCONTEXT_OUTPUT_DESTINATION_PORT <port>

Moduledir   %ROOT%\modules
CacheDir    %ROOT%\data
Pidfile     %ROOT%\data\nxlog.pid
SpoolDir    %ROOT%\data
LogFile     %ROOT%\data\nxlog.log

<Input in_adcontext>
    Module im_file
    File "<Path_of_the_output_file>"
    DirCheckInterval 3600
    PollInterval 3600
</Input>

<Output out_chronicle_adcontext>
    Module  om_tcp
    Host    %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS%
    Port    %ADCONTEXT_OUTPUT_DESTINATION_PORT%
</Output>

<Route ad_context_to_chronicle>
    Path in_adcontext => out_chronicle_adcontext
</Route>

  3. Inicie o serviço NXLog em cada sistema.

Configurar o encaminhador em um servidor central

Para informações sobre como instalar e configurar o encaminhador no Linux, consulte Instalar e configurar o encaminhador no Linux. Para informações sobre como instalar e configurar o forwarder no Microsoft Windows, consulte Instalar e configurar o forwarder no Microsoft Windows.

  1. Configure o sistema com o fuso horário UTC.
  2. Instale o encaminhador de operações de segurança do Google no servidor central do Microsoft Windows ou Linux.

  3. Configure o encaminhador do Google Security Operations para enviar registros a ele. Confira a seguir um exemplo de configuração do encaminhador:

      - syslog:
      common:
        enabled: true
        data_type: WINDOWS_AD
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Referência de mapeamento de campo: campos de registro do dispositivo para campos do UDM

Esta seção descreve como o analisador mapeia campos de registro originais para campos do modelo de dados unificado.

Referência de mapeamento de campo: WINDOWS_AD

A tabela a seguir lista os campos de registro do tipo WINDOWS_AD e os campos correspondentes do UDM.

Log field UDM mapping Logic
metadata.entity_type If the ObjectClass log field value is equal to user or is empty, then the metadata.entity_type UDM field is set to USER.

Else, if the ObjectClass log field value is equal to computer, then the metadata.entity_type UDM field is set to ASSET.
ObjectGuid entity.user.product_object_id If the ObjectClass log field value is equal to user or is empty, then if the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.user.product_object_id UDM field.

Else, if the ObjectClass log field value is equal to computer, then if the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.asset.product_object_id UDM field.
whenCreated metadata.creation_timestamp If the ObjectClass log field value is equal to user or is empty, then if the whenCreated log field value is not empty, then when_created is extracted from the whenCreated log field using a Grok pattern, and mapped to the entity.asset.attribute.creation_time UDM field.

Else, if the ObjectClass log field value is equal to computer, then if the whenCreated log field value is not empty, then when_created is extracted from the whenCreated log field using a Grok pattern, and mapped to the metadata.creation_timestamp UDM field. Else, timestamp tz_left tz_right is extracted from the whenCreated log field using a Grok pattern, and mapped to the entity.asset.attribute.creation_time UDM field.
DisplayName entity.user.user_display_name If the ObjectClass log field value is equal to user or is empty, then if the DisplayName log field value is not empty, then the DisplayName log field is mapped to the entity.user.user_display_name UDM field.
GivenName entity.user.first_name If the ObjectClass log field value is equal to user or is empty, then if the GivenName log field value is not empty, then the GivenName log field is mapped to the entity.user.first_name UDM field.
SamAccountName entity.user.userid If the ObjectClass log field value is equal to user or is empty, then if the SamAccountName log field value is not empty, then the SamAccountName log field is mapped to the entity.user.userid UDM field.

If the ObjectClass log field value is equal to computer, then the SamAccountName log field is mapped to the entity.asset.asset_id UDM field.
EmployeeID entity.user.employee_id If the EmployeeID log field value is not empty, then the EmployeeID log field is mapped to the entity.user.employee_id UDM field.

Else the employeeID.0 log field is mapped to the entity.user.employee_id UDM field.
Title entity.user.title If the Title log field value is not empty, then the Title log field is mapped to the entity.user.title UDM field.
Surname entity.user.last_name If the ObjectClass log field value is equal to user or is empty, then if the Surname log field value is not empty, then if the sn log field is mapped to the entity.user.last_name UDM field.

Else ifSurname log field value is not empty, then the Surname log field is mapped to the entity.user.last_name UDM field.
Company entity.user.company_name If the ObjectClass log field value is equal to user or is empty, then if the Company log field value is not empty, then the Company log field is mapped to the entity.user.company_name UDM field.
City entity.user.personal_address.city If the ObjectClass log field value is equal to user or is empty, then if the City log field value is not empty, then the City log field is mapped to the entity.user.personal_address.city UDM field.
Department entity.user.department If the ObjectClass log field value is equal to user or is empty, then if the Department log field value is not empty, then the Department log field is mapped to the entity.user.department UDM field.
entity.user.email_addresses If the ObjectClass log field value is equal to user or is empty, then if the EmailAddress log field value is not empty, then the EmailAddress log field is mapped to the entity.user.email_addresses UDM field.

Else, if the mail log field value is not empty, then the mail log field is mapped to the entity.user.email_addresses UDM field.
HomePhone entity.user.phone_numbers If the ObjectClass log field value is equal to user or is empty, then if the HomePhone log field value is not empty, then the HomePhone log field is mapped to the entity.user.phone_numbers UDM field.

Else if the telephoneNumber log field value is not empty, then the telephoneNumber log field is mapped to the entity.user.phone_numbers UDM field.
If the ObjectClass log field value is equal to user or is empty, then if the MobilePhone log field value is not empty, then the MobilePhone log field is mapped to the entity.user.phone_numbers UDM field.
StreetAddress entity.user.personal_address.name If the ObjectClass log field value is equal to user or is empty, then if the StreetAddress log field value is not empty, then the StreetAddress log field is mapped to the entity.user.personal_address.name UDM field.
State entity.user.personal_address.state If the ObjectClass log field value is equal to user or is empty, then if the State log field value is not empty, then the State log field is mapped to the entity.user.personal_address.state UDM field.
Country entity.user.personal_address.country_or_region If the ObjectClass log field value is equal to user or is empty, then if the Country log field value is not empty, then the Country log field is mapped to the entity.user.personal_address.country_or_region UDM field.
Office entity.user.office_address.name If the ObjectClass log field value is equal to user or is empty, then if the Office log field value is not empty, then the Office log field is mapped to the entity.user.office_address.name UDM field.
HomeDirectory entity.file.full_path If the ObjectClass log field value is equal to user or is empty, then if the HomeDirectory log field value is not empty, then the HomeDirectory log field is mapped to the entity.file.full_path UDM field.
entity.user.managers.user_display_name If the ObjectClass log field value is equal to user or is empty, then if the Manager log field value is not empty, then manager_name is extracted from the Manager log field using a Grok pattern, and mapped to the entity.user.managers.user_display_name UDM field.
entity.user.windows_sid If the SID.Value log field value is not empty, then the SID.Value field is mapped to the entity.user.windows_sid UDM field.

Else, if the objectSid log field value is not empty, then the objectSid field is mapped to the entity.user.windows_sid UDM field.

If the ObjectClass log field value is equal to user or is empty, then if the Manager log field value is not empty, then if Manager matches the regular expression pattern (S-\d-(\d+-){1,14}\d+), then the Manager log field is mapped to the entity.user.managers.windows_sid UDM field. Else, the Manager log field is mapped to the entity.user.managers.userid UDM field.
relations.relationship If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf, the relations.relationship UDM field is set to MEMBER.

Else, if the ObjectClass log field value is equal to computer, then if the ManagedBy log field value is not empty, then the relations.relationship UDM field is set to ADMINISTERS.

If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.relationship UDM field is set to MEMBER.
relations.entity.group.group_display_name If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf, group_name is extracted from the index using a Grok pattern and mapped to the relations.entity.group.group_display_name UDM field. If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern and mapped to the relations.entity.group.group_display_name UDM field.
relations.entity_type If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf, the relations.entity_type UDM field is set to GROUP.

Else, if the ObjectClass log field value is equal to computer, then if the ManagedBy log field value is not empty, then the relations.entity_type UDM field is set to ASSET.

If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.entity_type UDM field is set to GROUP.
relations.direction If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf, the relations.direction UDM field is set to UNIDIRECTIONAL.

Else, if the ObjectClass log field value is equal to computer, then if the ManagedBy log field value is not empty, then the relations.direction UDM field is set to UNIDIRECTIONAL.

If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.direction UDM field is set to UNIDIRECTIONAL.
relations.entity.user.user_display_name If the ObjectClass log field value is equal to computer, then if the ManagedBy log field value is not empty, then user_name is extracted from the ManagedBy log field using a Grok pattern and mapped to the relations.entity.user.user_display_name UDM field.
proxyAddresses entity.user.group_identifiers If the ObjectClass log field value is equal to user or is empty, then for index in proxyAddresses the index is mapped to entity.user.group_identifiers UDM field.
entity.user.attribute.labels[Bad Password Count] If the ObjectClass log field value is equal to user or is empty, then if the badPwdCount log field value is not empty, then the entity.user.attribute.labels.key UDM field is set to Bad Password Count and the badPwdCount log field is mapped to the entity.user.attribute.labels.value UDM field.
LastBadPasswordAttempt entity.user.last_bad_password_attempt_time If the ObjectClass log field value is equal to user or is empty, then if the LastBadPasswordAttempt log field value is not empty, then last_bad_password_attempt is extracted from the LastBadPasswordAttempt log field using a Grok pattern and mapped to the entity.user.last_bad_password_attempt_time UDM field.

Else, if the ObjectClass log field value is equal to computer, then last_bad_password_attempt is extracted from the LastBadPasswordAttempt log field using a Grok pattern and mapped to the entity.user.last_bad_password_attempt_time UDM field.
AccountExpirationDate entity.user.account_expiration_time If the ObjectClass log field value is equal to user or is empty, then if the AccountExpirationDate log field value is not empty, then account_expiration_date is extracted from the AccountExpirationDate log field using a Grok pattern and mapped to the entity.user.account_expiration_time UDM field.

Else, if the ObjectClass log field value is equal to computer, then if the AccountExpirationDate log field value is not empty, then account_expiration_date is extracted from the AccountExpirationDate log field using a Grok pattern and mapped to the entity.user.account_expiration_time UDM field.
PasswordLastSet entity.user.last_password_change_time If the ObjectClass log field value is equal to user or is empty, then if the PasswordLastSet log field value is not empty, then password_last_set is extracted from the PasswordLastSet log field using a Grok pattern and mapped to the entity.user.last_password_change_time UDM field.

Else, if the ObjectClass log field value is equal to computer, then if the PasswordLastSet log field value is not empty, then password_last_set is extracted from the PasswordLastSet log field using a Grok pattern and mapped to the entity.user.last_password_change_time UDM field.
PasswordNotRequired entity.user.attribute.labels[Password Not Required] If the ObjectClass log field value is equal to user or is empty, then if the PasswordNotRequired log field value is not empty, then the PasswordNotRequired log field is mapped to the entity.user.attribute.labels.value UDM field.

If the ObjectClass log field value is equal to computer, then if the PasswordNotRequired log field value is not empty, then the PasswordNotRequired log field is mapped to the entity.asset.attribute.labels.value UDM field.
ServicePrincipalNames entity.user.attribute.labels[Service Principal Names] If the ObjectClass log field value is equal to user or is empty, then if ServicePrincipalNames log field value is not empty, then for index in ServicePrincipalNames the index is mapped to the entity.user.attribute.labels.value UDM field.

Else, if the ObjectClass log field value is equal to computer, then if ServicePrincipalNames log field value is not empty, then for index in ServicePrincipalNames, if index is equal to 0, then the index is mapped to the entity.user.attribute.labels.value UDM field.
AccountLockoutTime entity.user.account_lockout_time If the ObjectClass log field value is equal to user or is empty, then if the AccountLockoutTime log field value is not empty, then account_lockout_time is extracted from the AccountLockoutTime log field using a Grok pattern and mapped to the entity.user.account_lockout_time UDM field.

Else, if the ObjectClass log field value is equal to computer, then if the AccountLockoutTime log field value is not empty, then account_lockout_time is extracted from the AccountLockoutTime log field using a Grok pattern and mapped to the entity.user.account_lockout_time UDM field.
whenChanged entity.asset.attribute.last_update_time If the ObjectClass log field value is equal to computer, then when_changed is extracted from the whenChanged log field using a Grok pattern, if whenChanged is not empty, then when_changed is mapped to the entity.asset.attribute.last_update_time UDM field.

Else, timestamp and timezone is extracted from whenChanged log field using a Grok pattern and tz_left and tz_right is extracted from the timezone using a Grok pattern and timestamp tz_left tz_right is mapped to entity.asset.attribute.creation_time UDM field.
DNSHostName entity.asset.hostname If the ObjectClass log field value is equal to computer, then if the DNSHostName log field value is not empty, then the DNSHostName log field is mapped to the entity.asset.hostname UDM field.
countryCode entity.asset.location.country_or_region If the ObjectClass log field value is equal to computer, then if the countryCode log field value is not empty, then the countryCode log field is mapped to the entity.asset.location.country_or_region UDM field.
entity.asset.platform_software.platform If the ObjectClass log field value is equal to computer, then if the OperatingSystem log field value is not empty, then if the OperatingSystem log field value matches the regular expression pattern (?i)windows, then the entity.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the OperatingSystem log field value matches the regular expression pattern (?i)mac or the OperatingSystem log field value matches the regular expression pattern (?i)osx, then the entity.asset.platform_software.platform UDM field is set to MAC.

Else, if the OperatingSystem log field value matches the regular expression pattern (?i)linux, then the entity.asset.platform_software.platform UDM field is set to LINUX.
OperatingSystemVersion entity.asset.platform_software.platform_version If the ObjectClass log field value is equal to computer, then if the OperatingSystem log field value is not empty, then if the OperatingSystemVersion log field value is not empty, then OperatingSystem - OperatingSystemVersion is mapped to the entity.asset.platform_software.platform_version UDM field.

Else if the OperatingSystemVersion log field value is not empty, then the OperatingSystemVersion log field is mapped to the entity.asset.platform_software.platform_version UDM field.
OperatingSystemServicePack entity.asset.platform_software.platform_patch_level If the ObjectClass log field value is equal to computer, then if the OperatingSystemServicePack log field value is not empty, then the OperatingSystemServicePack log field is mapped to the entity.asset.platform_software.platform_patch_level UDM field.
IPv4Address entity.asset.ip If the ObjectClass log field value is equal to computer, then if the IPv4Address log field value is not empty, then the IPv4Address log field is mapped to the entity.asset.ip UDM field.
IPv6Address entity.asset.ip If the ObjectClass log field value is equal to computer, then if the IPv6Address log field value is not empty, then the IPv6Address log field is mapped to the entity.asset.ip UDM field.
Location entity.asset.location.name If the ObjectClass log field value is equal to computer, then if the Location log field value is not empty, then the Location log field is mapped to the entity.asset.location.name UDM field.
ObjectCategory entity.asset.category If the ObjectClass log field value is equal to computer, then if the ObjectCategory log field value is not empty, then object_category is extracted from the ObjectCategory log field using a Grok pattern, and mapped to the entity.asset.category UDM field.
PasswordExpired entity.asset.attribute.labels[Password Expired] If the ObjectClass log field value is equal to computer, then if the PasswordExpired log field value is not empty, then the PasswordExpired log field is mapped to the entity.asset.attribute.labels.value UDM field.

If the ObjectClass log field value is equal to user or is empty, then if the PasswordExpired log field value is not empty, then the PasswordExpired log field is mapped to the entity.user.attribute.labels.value UDM field.
PasswordNeverExpires entity.asset.attribute.labels[Password Never Expires] If the ObjectClass log field value is equal to computer, then if the PasswordNeverExpires log field value is not empty, then the PasswordNeverExpires log field is mapped to the entity.asset.attribute.labels.value UDM field.

If the ObjectClass log field value is equal to user or is empty, then if the PasswordNeverExpires log field value is not empty, then the PasswordNeverExpires log field is mapped to the entity.user.attribute.labels.value UDM field.
entity.user.attribute.labels[Last Logon] If the ObjectClass log field value is equal to user or is empty, then if the lastLogon log field value is not equal to 0, then the entity.user.attribute.labels.key UDM field is set to Last Logon and the lastLogon log field is mapped to the entity.user.attribute.labels.value UDM field.

If the ObjectClass log field value is equal to computer, then if the lastLogon log field value is not equal to 0, then the entity.asset.attribute.labels.key UDM field is set to Last Logon and the lastLogon log field is mapped to the entity.asset.attribute.labels.value UDM field.
lastLogoff entity.asset.attribute.labels[Last Logoff] If the ObjectClass log field value is equal to computer, then if the lastLogoff log field value does not contain one of the following values, then the lastLogoff log field is mapped to the entity.asset.attribute.labels.value UDM field.
  • "0"
  • 0
.
LastLogonDate entity.user.last_login_time If the ObjectClass log field value is equal to user or is empty, then if the LastLogonDate log field value is not empty, then last_logon_date is extracted from the LastLogonDate log field using a Grok pattern, and mapped to the entity.user.last_login_time UDM field.

Else if the ObjectClass log field value is equal to computer,then if the LastLogonDate log field value is not empty, then last_logon_date is extracted from the LastLogonDate log field using a Grok pattern, and mapped to the entity.user.last_login_time UDM field.
HomePage entity.url If the HomePage log field value is not empty, then the HomePage log field is mapped to the entity.url UDM field.
entity.administrative_domain If the CanonicalName log field value is not empty, then domain_name is extracted from the CanonicalName log field using a Grok pattern, and mapped to the entity.administrative_domain UDM field.
metadata.vendor_name The metadata.vendor_name UDM field is set to Microsoft.
metadata.product_name The metadata.product_name UDM field is set to Windows Active Directory.
Description metadata.description The Description log field is mapped to the metadata.description UDM field.

Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais do Google SecOps.