이 페이지는 Cloud Translation API를 통해 번역되었습니다.

Microsoft Windows AD 데이터 수집

다음에서 지원:

Google SecOps SIEM

이 문서에는 다음 정보가 포함되어 있습니다.

배포 아키텍처, 설치 단계, Google Security Operations 파서에서 지원하는 Microsoft Windows Active Directory 이벤트용 로그를 생성하는 데 필요한 구성. Google Security Operations 데이터 수집에 대한 개요는 Google Security Operations에 데이터 수집을 참고하세요.
파서에서 원래 로그의 필드를 Google Security Operations 통합 데이터 모델 필드에 매핑하는 방식에 대한 정보

배포 아키텍처에 따라 BindPlane 에이전트나 NXLog 에이전트를 구성하여 Microsoft Windows Active Directory 로그를 Google Security Operations로 수집합니다. BindPlane 에이전트를 사용하여 Windows Active Directory의 로그를 Google Security Operations로 전달하는 것이 좋습니다.

이 문서의 정보는 WINDOWS_AD 수집 라벨이 있는 파서에 적용됩니다. 수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다.

시작하기 전에

BindPlane 에이전트나 NXLog 에이전트를 구성하기 전에 다음 태스크를 완료합니다.

모든 시스템이 UTC 시간대를 사용하도록 구성합니다.
Microsoft Windows AD 서버 구성
지원되는 기기 및 버전 검토
지원되는 로그 유형 검토

Microsoft Windows AD 서버 구성

각 Microsoft Windows Active Directory 서버에서 로그 데이터를 출력 파일에 저장하도록 PowerShell 스크립트를 만들고 구성합니다. BindPlane 에이전트 또는 NXLog가 출력 파일을 읽습니다.

# Set the location where the log file will be written
$OUTPUT_FILENAME="<Path_of_the_output_file>"

If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue}

# USER_CONTEXT: Gets all Active Directory users and their properties.
Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }

# ASSET_CONTEXT: Gets all Active Directory assets and their properties.
Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }

다음을 바꿉니다.
- $OUTPUT_FILENAME 값을 출력 파일의 위치로 바꿉니다.
- 데이터를 JSON 형식으로 저장합니다.
- 인코딩을 UTF-8로 설정합니다.
- Get-ADUser 및 Get-ADComputer cmdlets를 호출할 때 -LDAPFilter 매개변수가 아닌 -Filter 매개변수를 사용합니다.
스크립트를 실행하여 출력 파일에 데이터를 가져오고 기록하는 반복 태스크를 만듭니다.
1. 작업 스케줄러 애플리케이션을 엽니다.
2. 태스크 만들기를 클릭합니다.
3. 태스크의 이름과 설명을 입력합니다.
4. 가장 높은 권한으로 실행 체크박스를 선택하여 모든 데이터가 검색되었는지 확인합니다.
5. 트리거 탭에서 태스크를 반복할 시점을 정의합니다.
6. 작업 탭에서 새 작업을 추가하고 스크립트가 저장된 파일의 경로를 제공합니다.

지원되는 기기 및 버전 검토

Microsoft Windows Server는 Foundation, Essentials, Standard, Datacenter 버전으로 출시됩니다. 각 버전에서 생성된 로그의 이벤트 스키마는 다르지 않습니다.

Google Security Operations 파서는 다음 Microsoft Windows Server 버전의 로그를 지원합니다.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

Google Security Operations 파서는 NXLog Community Edition 또는 Enterprise Edition에서 수집한 로그를 지원합니다.

지원되는 로그 유형 검토

Google Security Operations 파서는 사용자 컨텍스트 및 애셋 컨텍스트에서 검색된 데이터를 파싱하고 정규화합니다. 영어 텍스트로 생성된 로그를 지원하며 영어가 아닌 언어로 생성된 로그에서는 지원되지 않습니다.

BindPlane 에이전트 구성

BindPlane 에이전트를 사용하여 Windows Active Directory의 로그를 Google Security Operations로 전달하는 것이 좋습니다.

설치 후 BindPlane 에이전트 서비스가 Windows 서비스 목록에 observIQ 서비스로 표시됩니다.

각 Windows Active Directory 서버에 BindPlane 에이전트를 설치합니다. BindPlane 에이전트 설치에 대한 자세한 내용은 BindPlane 에이전트 설치 안내를 참고하세요.

다음 콘텐츠로 BindPlane 에이전트의 구성 파일을 만듭니다.

receivers:
  filelog:
    include: [ `FILE_PATH` ]
    operators:
      - type: json_parser
    start_at: beginning
  windowseventlog/activedirectoryservice:
    channel: Directory Service
    raw: true
processors:
  batch:

exporters:
  chronicle/activedirectory:
    endpoint: https://malachiteingestion-pa.googleapis.com
    creds: '{
    "type": "service_account",
    "project_id": "malachite-projectname",
    "private_key_id": `PRIVATE_KEY_ID`,
    "private_key": `PRIVATE_KEY`,
    "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "client_id": `CLIENT_ID`,
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "universe_domain": "googleapis.com"
    }'
  log_type: 'WINDOWS_AD'
  override_log_type: false
  raw_log_field: body
  customer_id: `CUSTOMER_ID`

service:
  pipelines:
    logs/ads:
      receivers:
        - filelog
        - windowseventlog/activedirectoryservice
      processors: [batch]
      exporters: [chronicle/activedirectory]

다음을 바꿉니다.
- FILE_PATH: Microsoft Windows AD 서버 구성에 언급된 PowerShell 스크립트의 출력이 저장된 파일의 경로입니다.
- PRIVATE_KEY_ID, PRIVATE_KEY, SERVICSERVICE_ACCOUNT_NAME, PROJECT_ID, CLIENT_ID, CUSTOMER_ID를 Google Cloud에서 다운로드할 수 있는 서비스 계정 JSON 파일의 각 값으로 바꿉니다. 서비스 계정 키에 대한 자세한 내용은 서비스 계정 키 만들기 및 삭제를 참고하세요.
observIQ 에이전트 서비스를 시작하려면 서비스 > 확장 > observIQ 서비스 > 시작을 선택합니다.

NXLog 구성

다음 다이어그램에서는 Microsoft Windows 이벤트를 수집하고 Google Security Operations로 전송하기 위해 설치된 NXLog 에이전트의 아키텍처를 보여줍니다. 이 정보를 사용자 환경과 비교하여 이러한 구성요소가 설치되어 있는지 확인합니다. 배포는 이 아키텍처와 다를 수 있으며 더 복잡할 수 있습니다.

NXLog 전달자 처리

BindPlane 에이전트 대신 NXLog 에이전트를 사용하는 경우 다음을 확인합니다.

Active Directory를 실행하는 각 Microsoft Windows Server에서 USER_CONTEXT 및 ASSET_CONTEXT 데이터를 수집하도록 PowerShell 스크립트가 생성되고 구성됩니다. 자세한 내용은 Microsoft Windows AD 서버 구성을 참고하세요.
NXLog는 데이터를 중앙 Microsoft Windows Server 또는 Linux 서버로 전송하기 위해 각 Microsoft Windows AD 서버에 설치됩니다.
Google Security Operations 전달자는 로그 데이터가 Google Security Operations로 전달되도록 중앙 Microsoft Windows 서버 또는 Linux 서버에 설치됩니다.

NXLog 구성

Windows Active Directory 서버에서 실행되는 각 수집기에 NXLog 에이전트를 설치합니다. 이 애플리케이션은 중앙 Microsoft Windows 또는 Linux 서버로 로그를 전달합니다. 자세한 내용은 NXLog 문서를 참고하세요.

각 NXLog 인스턴스에 대한 구성 파일을 만듭니다. NXLog im_file 모듈을 사용하여 파일에서 읽고 줄을 필드로 파싱합니다. om_tcp를 사용하여 데이터를 중앙 Microsoft Windows 또는 Linux 서버로 전달합니다.

다음은 NXLog 구성의 예입니다. <hostname> 및 <port> 값을 대상 중앙 Microsoft Windows 또는 Linux 서버에 대한 정보로 바꿉니다. <Input in_adcontext> 섹션 및 File 속성에서 PowerShell 스크립트로 작성된 출력 로그 파일의 경로를 추가합니다. 항상 DirCheckInterval 및 PollInterval을 설정합니다. 이를 정의하지 않으면 NXLog는 1초마다 파일을 폴링합니다.

define ROOT C:\Program Files\nxlog
define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <hostname>
define ADCONTEXT_OUTPUT_DESTINATION_PORT <port>

Moduledir   %ROOT%\modules
CacheDir    %ROOT%\data
Pidfile     %ROOT%\data\nxlog.pid
SpoolDir    %ROOT%\data
LogFile     %ROOT%\data\nxlog.log

<Input in_adcontext>
    Module im_file
    File "<Path_of_the_output_file>"
    DirCheckInterval 3600
    PollInterval 3600
</Input>

<Output out_chronicle_adcontext>
    Module  om_tcp
    Host    %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS%
    Port    %ADCONTEXT_OUTPUT_DESTINATION_PORT%
</Output>

<Route ad_context_to_chronicle>
    Path in_adcontext => out_chronicle_adcontext
</Route>

각 시스템에서 NXLog 서비스를 시작합니다.

중앙 서버에서 전달자 구성

Linux에서 전달자 설치 및 구성에 관한 자세한 내용은 Linux에서 전달자 설치 및 구성을 참고하세요. Microsoft Windows에서 전달자 설치 및 구성에 대한 자세한 내용은 Microsoft Windows에서 전달자 설치 및 구성을 참고하세요.

UTC 시간대로 시스템을 구성합니다.
중앙 Microsoft Windows 또는 Linux 서버에 Google Security Operations 전달자를 설치합니다.

Google Security Operations 전달자를 구성하여 로그를 Google Security Operations에 전송합니다. 다음은 전달자 구성의 예입니다.

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_AD
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

필드 매핑 참조: 기기 로그 필드에서 UDM 필드로

이 섹션에서는 파서가 원래 로그 필드를 통합 데이터 모델 필드에 매핑하는 방법을 설명합니다.

필드 매핑 참조: WINDOWS_AD

다음 표에는 WINDOWS_AD 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.entity_type`	If the `ObjectClass` log field value is equal to `user` or is empty, then the `metadata.entity_type` UDM field is set to `USER`. Else, if the `ObjectClass` log field value is equal to `computer`, then the `metadata.entity_type` UDM field is set to `ASSET`.
`ObjectGuid`	`entity.user.product_object_id`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `ObjectGuid` log field value is not empty, then the `ObjectGuid` log field is mapped to the `entity.user.product_object_id` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `ObjectGuid` log field value is not empty, then the `ObjectGuid` log field is mapped to the `entity.asset.product_object_id` UDM field.
`whenCreated`	`metadata.creation_timestamp`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `whenCreated` log field value is not empty, then `when_created` is extracted from the `whenCreated` log field using a Grok pattern, and mapped to the `entity.asset.attribute.creation_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `whenCreated` log field value is not empty, then `when_created` is extracted from the `whenCreated` log field using a Grok pattern, and mapped to the `metadata.creation_timestamp` UDM field. Else, `timestamp tz_left tz_right` is extracted from the `whenCreated` log field using a Grok pattern, and mapped to the `entity.asset.attribute.creation_time` UDM field.
`DisplayName`	`entity.user.user_display_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `DisplayName` log field value is not empty, then the `DisplayName` log field is mapped to the `entity.user.user_display_name` UDM field.
`GivenName`	`entity.user.first_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `GivenName` log field value is not empty, then the `GivenName` log field is mapped to the `entity.user.first_name` UDM field.
`SamAccountName`	`entity.user.userid`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `SamAccountName` log field value is not empty, then the `SamAccountName` log field is mapped to the `entity.user.userid` UDM field. If the `ObjectClass` log field value is equal to `computer`, then the `SamAccountName` log field is mapped to the `entity.asset.asset_id` UDM field.
`EmployeeID`	`entity.user.employee_id`	If the `EmployeeID` log field value is not empty, then the `EmployeeID` log field is mapped to the `entity.user.employee_id` UDM field. Else the `employeeID.0` log field is mapped to the `entity.user.employee_id` UDM field.
`Title`	`entity.user.title`	If the `Title` log field value is not empty, then the `Title` log field is mapped to the `entity.user.title` UDM field.
`Surname`	`entity.user.last_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Surname` log field value is not empty, then if the `sn` log field is mapped to the `entity.user.last_name` UDM field. Else if`Surname` log field value is not empty, then the `Surname` log field is mapped to the `entity.user.last_name` UDM field.
`Company`	`entity.user.company_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Company` log field value is not empty, then the `Company` log field is mapped to the `entity.user.company_name` UDM field.
`City`	`entity.user.personal_address.city`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `City` log field value is not empty, then the `City` log field is mapped to the `entity.user.personal_address.city` UDM field.
`Department`	`entity.user.department`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Department` log field value is not empty, then the `Department` log field is mapped to the `entity.user.department` UDM field.
	`entity.user.email_addresses`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `EmailAddress` log field value is not empty, then the `EmailAddress` log field is mapped to the `entity.user.email_addresses` UDM field. Else, if the `mail` log field value is not empty, then the `mail` log field is mapped to the `entity.user.email_addresses` UDM field.
`HomePhone`	`entity.user.phone_numbers`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `HomePhone` log field value is not empty, then the `HomePhone` log field is mapped to the `entity.user.phone_numbers` UDM field. Else if the `telephoneNumber` log field value is not empty, then the `telephoneNumber` log field is mapped to the `entity.user.phone_numbers` UDM field. If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MobilePhone` log field value is not empty, then the `MobilePhone` log field is mapped to the `entity.user.phone_numbers` UDM field.
`StreetAddress`	`entity.user.personal_address.name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `StreetAddress` log field value is not empty, then the `StreetAddress` log field is mapped to the `entity.user.personal_address.name` UDM field.
`State`	`entity.user.personal_address.state`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `State` log field value is not empty, then the `State` log field is mapped to the `entity.user.personal_address.state` UDM field.
`Country`	`entity.user.personal_address.country_or_region`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Country` log field value is not empty, then the `Country` log field is mapped to the `entity.user.personal_address.country_or_region` UDM field.
`Office`	`entity.user.office_address.name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Office` log field value is not empty, then the `Office` log field is mapped to the `entity.user.office_address.name` UDM field.
`HomeDirectory`	`entity.file.full_path`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `HomeDirectory` log field value is not empty, then the `HomeDirectory` log field is mapped to the `entity.file.full_path` UDM field.
	`entity.user.managers.user_display_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Manager` log field value is not empty, then `manager_name` is extracted from the `Manager` log field using a Grok pattern, and mapped to the `entity.user.managers.user_display_name` UDM field.
	`entity.user.windows_sid`	If the `SID.Value` log field value is not empty, then the `SID.Value` field is mapped to the `entity.user.windows_sid` UDM field. Else, if the `objectSid` log field value is not empty, then the `objectSid` field is mapped to the `entity.user.windows_sid` UDM field. If the `ObjectClass` log field value is equal to `user` or is empty, then if the `Manager` log field value is not empty, then if Manager matches the regular expression pattern `(S-\d-(\d+-){1,14}\d+)`, then the `Manager` log field is mapped to the `entity.user.managers.windows_sid` UDM field. Else, the `Manager` log field is mapped to the `entity.user.managers.userid` UDM field.
	`relations.relationship`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MemberOf` log field value is not empty, then for index in `MemberOf`, the `relations.relationship` UDM field is set to `MEMBER`. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `ManagedBy` log field value is not empty, then the `relations.relationship` UDM field is set to `ADMINISTERS`. If the `PrimaryGroup` log field value is not empty, then `group_name` is extracted from the `PrimaryGroup` log field using a Grok pattern, if the `group_name` extracted field value is not empty, then the `relations.relationship` UDM field is set to `MEMBER`.
	`relations.entity.group.group_display_name`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MemberOf` log field value is not empty, then for index in `MemberOf`, `group_name` is extracted from the `index` using a Grok pattern and mapped to the `relations.entity.group.group_display_name` UDM field. If the `PrimaryGroup` log field value is not empty, then `group_name` is extracted from the `PrimaryGroup` log field using a Grok pattern and mapped to the `relations.entity.group.group_display_name` UDM field.
	`relations.entity_type`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MemberOf` log field value is not empty, then for index in `MemberOf`, the `relations.entity_type` UDM field is set to `GROUP`. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `ManagedBy` log field value is not empty, then the `relations.entity_type` UDM field is set to `ASSET`. If the `PrimaryGroup` log field value is not empty, then `group_name` is extracted from the `PrimaryGroup` log field using a Grok pattern, if the `group_name` extracted field value is not empty, then the `relations.entity_type` UDM field is set to `GROUP`.
	`relations.direction`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `MemberOf` log field value is not empty, then for index in `MemberOf`, the `relations.direction` UDM field is set to `UNIDIRECTIONAL`. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `ManagedBy` log field value is not empty, then the `relations.direction` UDM field is set to `UNIDIRECTIONAL`. If the `PrimaryGroup` log field value is not empty, then `group_name` is extracted from the `PrimaryGroup` log field using a Grok pattern, if the `group_name` extracted field value is not empty, then the `relations.direction` UDM field is set to `UNIDIRECTIONAL`.
	`relations.entity.user.user_display_name`	If the `ObjectClass` log field value is equal to `computer`, then if the `ManagedBy` log field value is not empty, then `user_name` is extracted from the `ManagedBy` log field using a Grok pattern and mapped to the `relations.entity.user.user_display_name` UDM field.
`proxyAddresses`	`entity.user.group_identifiers`	If the `ObjectClass` log field value is equal to `user` or is empty, then for index in `proxyAddresses` the `index` is mapped to `entity.user.group_identifiers` UDM field.
	`entity.user.attribute.labels[Bad Password Count]`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `badPwdCount` log field value is not empty, then the `entity.user.attribute.labels.key` UDM field is set to `Bad Password Count` and the `badPwdCount` log field is mapped to the `entity.user.attribute.labels.value` UDM field.
`LastBadPasswordAttempt`	`entity.user.last_bad_password_attempt_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `LastBadPasswordAttempt` log field value is not empty, then `last_bad_password_attempt` is extracted from the `LastBadPasswordAttempt` log field using a Grok pattern and mapped to the `entity.user.last_bad_password_attempt_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then `last_bad_password_attempt` is extracted from the `LastBadPasswordAttempt` log field using a Grok pattern and mapped to the `entity.user.last_bad_password_attempt_time` UDM field.
`AccountExpirationDate`	`entity.user.account_expiration_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `AccountExpirationDate` log field value is not empty, then `account_expiration_date` is extracted from the `AccountExpirationDate` log field using a Grok pattern and mapped to the `entity.user.account_expiration_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `AccountExpirationDate` log field value is not empty, then `account_expiration_date` is extracted from the `AccountExpirationDate` log field using a Grok pattern and mapped to the `entity.user.account_expiration_time` UDM field.
`PasswordLastSet`	`entity.user.last_password_change_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `PasswordLastSet` log field value is not empty, then `password_last_set` is extracted from the `PasswordLastSet` log field using a Grok pattern and mapped to the `entity.user.last_password_change_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `PasswordLastSet` log field value is not empty, then `password_last_set` is extracted from the `PasswordLastSet` log field using a Grok pattern and mapped to the `entity.user.last_password_change_time` UDM field.
`PasswordNotRequired`	`entity.user.attribute.labels[Password Not Required]`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `PasswordNotRequired` log field value is not empty, then the `PasswordNotRequired` log field is mapped to the `entity.user.attribute.labels.value` UDM field. If the `ObjectClass` log field value is equal to `computer`, then if the `PasswordNotRequired` log field value is not empty, then the `PasswordNotRequired` log field is mapped to the `entity.asset.attribute.labels.value` UDM field.
`ServicePrincipalNames`	`entity.user.attribute.labels[Service Principal Names]`	If the `ObjectClass` log field value is equal to `user` or is empty, then if `ServicePrincipalNames` log field value is not empty, then for index in `ServicePrincipalNames` the `index` is mapped to the `entity.user.attribute.labels.value` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if `ServicePrincipalNames` log field value is not empty, then for index in `ServicePrincipalNames`, if `index` is equal to 0, then the `index` is mapped to the `entity.user.attribute.labels.value` UDM field.
`AccountLockoutTime`	`entity.user.account_lockout_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `AccountLockoutTime` log field value is not empty, then `account_lockout_time` is extracted from the `AccountLockoutTime` log field using a Grok pattern and mapped to the `entity.user.account_lockout_time` UDM field. Else, if the `ObjectClass` log field value is equal to `computer`, then if the `AccountLockoutTime` log field value is not empty, then `account_lockout_time` is extracted from the `AccountLockoutTime` log field using a Grok pattern and mapped to the `entity.user.account_lockout_time` UDM field.
`whenChanged`	`entity.asset.attribute.last_update_time`	If the `ObjectClass` log field value is equal to `computer`, then `when_changed` is extracted from the `whenChanged` log field using a Grok pattern, if `whenChanged` is not empty, then `when_changed` is mapped to the `entity.asset.attribute.last_update_time` UDM field. Else, `timestamp` and `timezone` is extracted from `whenChanged` log field using a Grok pattern and `tz_left` and `tz_right` is extracted from the `timezone` using a Grok pattern and `timestamp tz_left tz_right` is mapped to `entity.asset.attribute.creation_time` UDM field.
`DNSHostName`	`entity.asset.hostname`	If the `ObjectClass` log field value is equal to `computer`, then if the `DNSHostName` log field value is not empty, then the `DNSHostName` log field is mapped to the `entity.asset.hostname` UDM field.
`countryCode`	`entity.asset.location.country_or_region`	If the `ObjectClass` log field value is equal to `computer`, then if the `countryCode` log field value is not empty, then the `countryCode` log field is mapped to the `entity.asset.location.country_or_region` UDM field.
	`entity.asset.platform_software.platform`	If the `ObjectClass` log field value is equal to `computer`, then if the `OperatingSystem` log field value is not empty, then if the `OperatingSystem` log field value matches the regular expression pattern `(?i)windows`, then the `entity.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `OperatingSystem` log field value matches the regular expression pattern `(?i)mac` or the `OperatingSystem` log field value matches the regular expression pattern `(?i)osx`, then the `entity.asset.platform_software.platform` UDM field is set to `MAC`. Else, if the `OperatingSystem` log field value matches the regular expression pattern `(?i)linux`, then the `entity.asset.platform_software.platform` UDM field is set to `LINUX`.
`OperatingSystemVersion`	`entity.asset.platform_software.platform_version`	If the `ObjectClass` log field value is equal to `computer`, then if the `OperatingSystem` log field value is not empty, then if the `OperatingSystemVersion` log field value is not empty, then `OperatingSystem - OperatingSystemVersion` is mapped to the `entity.asset.platform_software.platform_version` UDM field. Else if the `OperatingSystemVersion` log field value is not empty, then the `OperatingSystemVersion` log field is mapped to the `entity.asset.platform_software.platform_version` UDM field.
`OperatingSystemServicePack`	`entity.asset.platform_software.platform_patch_level`	If the `ObjectClass` log field value is equal to `computer`, then if the `OperatingSystemServicePack` log field value is not empty, then the `OperatingSystemServicePack` log field is mapped to the `entity.asset.platform_software.platform_patch_level` UDM field.
`IPv4Address`	`entity.asset.ip`	If the `ObjectClass` log field value is equal to `computer`, then if the `IPv4Address` log field value is not empty, then the `IPv4Address` log field is mapped to the `entity.asset.ip` UDM field.
`IPv6Address`	`entity.asset.ip`	If the `ObjectClass` log field value is equal to `computer`, then if the `IPv6Address` log field value is not empty, then the `IPv6Address` log field is mapped to the `entity.asset.ip` UDM field.
`Location`	`entity.asset.location.name`	If the `ObjectClass` log field value is equal to `computer`, then if the `Location` log field value is not empty, then the `Location` log field is mapped to the `entity.asset.location.name` UDM field.
`ObjectCategory`	`entity.asset.category`	If the `ObjectClass` log field value is equal to `computer`, then if the `ObjectCategory` log field value is not empty, then `object_category` is extracted from the `ObjectCategory` log field using a Grok pattern, and mapped to the `entity.asset.category` UDM field.
`PasswordExpired`	`entity.asset.attribute.labels[Password Expired]`	If the `ObjectClass` log field value is equal to `computer`, then if the `PasswordExpired` log field value is not empty, then the `PasswordExpired` log field is mapped to the `entity.asset.attribute.labels.value` UDM field. If the `ObjectClass` log field value is equal to `user` or is empty, then if the `PasswordExpired` log field value is not empty, then the `PasswordExpired` log field is mapped to the `entity.user.attribute.labels.value` UDM field.
`PasswordNeverExpires`	`entity.asset.attribute.labels[Password Never Expires]`	If the `ObjectClass` log field value is equal to `computer`, then if the `PasswordNeverExpires` log field value is not empty, then the `PasswordNeverExpires` log field is mapped to the `entity.asset.attribute.labels.value` UDM field. If the `ObjectClass` log field value is equal to `user` or is empty, then if the `PasswordNeverExpires` log field value is not empty, then the `PasswordNeverExpires` log field is mapped to the `entity.user.attribute.labels.value` UDM field.
	`entity.user.attribute.labels[Last Logon]`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `lastLogon` log field value is not equal to `0`, then the `entity.user.attribute.labels.key` UDM field is set to `Last Logon` and the `lastLogon` log field is mapped to the `entity.user.attribute.labels.value` UDM field. If the `ObjectClass` log field value is equal to `computer`, then if the `lastLogon` log field value is not equal to `0`, then the `entity.asset.attribute.labels.key` UDM field is set to `Last Logon` and the `lastLogon` log field is mapped to the `entity.asset.attribute.labels.value` UDM field.
`lastLogoff`	`entity.asset.attribute.labels[Last Logoff]`	If the `ObjectClass` log field value is equal to `computer`, then if the `lastLogoff` log field value does not contain one of the following values, then the `lastLogoff` log field is mapped to the `entity.asset.attribute.labels.value` UDM field. `"0"` `0` .
`LastLogonDate`	`entity.user.last_login_time`	If the `ObjectClass` log field value is equal to `user` or is empty, then if the `LastLogonDate` log field value is not empty, then `last_logon_date` is extracted from the `LastLogonDate` log field using a Grok pattern, and mapped to the `entity.user.last_login_time` UDM field. Else if the `ObjectClass` log field value is equal to `computer`,then if the `LastLogonDate` log field value is not empty, then `last_logon_date` is extracted from the `LastLogonDate` log field using a Grok pattern, and mapped to the `entity.user.last_login_time` UDM field.
`HomePage`	`entity.url`	If the `HomePage` log field value is not empty, then the `HomePage` log field is mapped to the `entity.url` UDM field.
	`entity.administrative_domain`	If the `CanonicalName` log field value is not empty, then `domain_name` is extracted from the `CanonicalName` log field using a Grok pattern, and mapped to the `entity.administrative_domain` UDM field.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Microsoft`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Windows Active Directory`.
`Description`	`metadata.description`	The `Description` log field is mapped to the `metadata.description` UDM field.