Esta página se ha traducido con Cloud Translation API.

Recoger registros de telemetría de Jamf Protect V2

Disponible en:

SecOps de Google SIEM

En este documento se describe cómo puede recoger los registros de telemetría V2 de Jamf Protect configurando un feed de Google Security Operations. En él se detalla la asignación de los campos de registro de Telemetría V2 de Jamf Protect a los campos del modelo de datos unificado (UDM) de Google SecOps y se indica la versión compatible de Telemetría V2 de Jamf Protect.

Para obtener más información, consulta Ingestión de datos en Google SecOps.

Una implementación típica consta de Jamf Protect Telemetry V2 y el feed de Google SecOps configurado para enviar registros a Google SecOps. Cada implementación de cliente puede ser diferente y más compleja.

La implementación contiene los siguientes componentes:

Telemetría de Jamf Protect V2. La plataforma Jamf Protect Telemetry V2 desde la que recoges los registros.
Feed de Google SecOps. El feed de Google SecOps que obtiene registros de la telemetría de Jamf Protect y escribe registros en Google SecOps.
Google SecOps. Google SecOps conserva y analiza los registros de Jamf Protect Telemetry V2.

Cada registro se normaliza en el modelo de datos unificado (UDM) mediante un analizador específico. La información de este documento se aplica al analizador asociado a la etiqueta de ingestión JAMF_TELEMETRY_V2.

Antes de empezar

Asegúrate de que tienes configurada la versión más reciente de Jamf Protect Telemetry V2.
Asegúrate de que estás usando Jamf Protect 6.3.2 o una versión posterior.
Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados con la zona horaria UTC.

Configurar un feed en Google SecOps para ingerir registros de telemetría de Jamf Protect V2

Puede usar Amazon S3 V2 o un webhook para configurar un feed de ingestión en Google SecOps.

Configurar un feed de ingestión en Google SecOps con Amazon S3 V2

Ve a Configuración de SIEM > Feeds.
Haz clic en Añadir feed.
Haga clic en el paquete de feeds JAMF.
Busca el feed JAMF Protect Telemetry V2.
En la lista Tipo de fuente, selecciona Amazon S3 V2.
Especifique los valores de los siguientes campos:
- URI de S3: el URI que apunta a un contenedor de S3.
- Opción de eliminación de origen: si se deben eliminar los archivos o directorios después de la transferencia.
- Antigüedad máxima del archivo: incluye los archivos modificados en los últimos días. El valor predeterminado es de 180 días.
- Selecciona Clave de acceso o Clave de acceso secreta: elige el tipo de credencial adecuado.
- Clave o token: la clave compartida o el token de SAS para acceder a los recursos de S3.
Haga clic en Crear feed.

Configurar un feed de ingesta en Google SecOps mediante un webhook

Ve a Configuración de SIEM > Feeds.
Haz clic en Añadir feed.
Haga clic en el paquete de feeds JAMF.
Busca el feed JAMF Protect Telemetry V2.
En la lista Tipo de fuente, selecciona Webhook.
Especifique los valores de los siguientes campos:
- Delimitador de división: el delimitador que se usa para separar las líneas de registro, como \n.
- Espacio de nombres de recursos: el espacio de nombres de recursos.
- Etiquetas de ingestión: etiqueta que se aplicará a los eventos de este feed.
Haga clic en Crear feed.

Para obtener más información sobre cómo configurar varios feeds para diferentes tipos de registros en esta familia de productos, consulta el artículo Configurar feeds por producto.

Crear una clave de API para un feed de webhook

Ve a la Google Cloud consola > Credenciales.

Ir a Credenciales
Haz clic en Crear credenciales y, a continuación, selecciona Clave de API.
Restringe el acceso de la clave de API a la API Google Security Operations.

Configurar Jamf Protect Telemetry V2 para un feed de webhook

En la aplicación Jamf Protect Telemetry V2, ve a la configuración de la acción relacionada.
Haga clic en Crear acciones para añadir un nuevo endpoint de datos.
Selecciona HTTP como protocolo.
En el campo URL, introduce la URL HTTPS del endpoint de la API de Google Security Operations. Este es el campo Información del endpoint que has copiado de la configuración del feed de webhook. Ya tiene el formato necesario.
Para habilitar la autenticación, especifica la clave de API y la clave secreta como parte del encabezado personalizado con el siguiente formato:
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
Recomendación: Especifica la clave de API como encabezado en lugar de hacerlo en la URL. Si tu cliente de webhook no admite encabezados personalizados, puedes especificar la clave de API y la clave secreta mediante parámetros de consulta con el siguiente formato:
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Haz los cambios siguientes:
- ENDPOINT_URL: URL del endpoint del feed.
- API_KEY: la clave de API para autenticarte en Google Security Operations.
- SECRET: la clave secreta que has generado para autenticar el feed.
En la sección Recoger registros, selecciona Telemetría.
Haz clic en Enviar.

Para obtener más información sobre los feeds de Google SecOps, consulta la documentación de los feeds de Google SecOps. Para obtener información sobre los requisitos de cada tipo de feed, consulta el artículo Configuración de feeds por tipo.

Si tienes problemas al crear feeds, ponte en contacto con el equipo de Asistencia de SecOps de Google.

Referencia de asignación de campos

En esta sección se explica cómo asigna el analizador de Google SecOps los campos de Jamf Protect Telemetry V2 a los campos del modelo de datos unificado (UDM) de Google SecOps.

Referencia de asignación de campos: identificador de evento a tipo de evento

En la siguiente tabla se enumeran los JAMF_TELEMETRY_V2 tipos de registros y sus tipos de eventos de UDM correspondientes.

Event Identifier	Event Type
`authentication`	`USER_LOGIN`
`bios_uefi`	`STATUS_UPDATE`
`btm_launch_item_add`	`PROCESS_LAUNCH`
`btm_launch_item_remove`	`PROCESS_TERMINATION`
`chroot`	`FILE_MODIFICATION`
`cs_invalidated`	`STATUS_UPDATE`
`exec`	`PROCESS_LAUNCH`
`file_collection`	`STATUS_UPDATE`
`gatekeeper_user_override`	`STATUS_UPDATE`
`kextload`	`STATUS_UPDATE`
`kextunload`	`STATUS_UPDATE`
`log_collection`	`STATUS_UPDATE`
`login_login`	`USER_LOGIN`
`login_logout`	`USER_LOGOUT`
`lw_session_lock`	`USER_LOGOUT`
`lw_session_login`	`USER_LOGIN`
`lw_session_logout`	`USER_LOGOUT`
`lw_session_unlock`	`USER_LOGIN`
`mount`	`STATUS_UPDATE`
`od_attribute_set`	`USER_RESOURCE_UPDATE_CONTENT`
`od_attribute_value_add`	`STATUS_UPDATE`
`od_attribute_value_remove`	`USER_RESOURCE_DELETION`
`od_create_group`	`GROUP_CREATION`
`od_create_user`	`USER_CREATION`
`od_delete_group`	`GROUP_DELETION`
`od_delete_user`	`USER_DELETION`
`od_disable_user`	`USER_UNCATEGORIZED`
`od_enable_user`	`USER_UNCATEGORIZED`
`od_group_add`	`GROUP_MODIFICATION`
`od_group_remove`	`GROUP_MODIFICATION`
`od_group_set`	`GROUP_MODIFICATION`
`od_modify_password`	`USER_CHANGE_PASSWORD`
`openssh_login`	`USER_LOGIN`
`openssh_logout`	`USER_LOGOUT`
`sudo`	`STATUS_UPDATE`
`system_performance`	`STATUS_UPDATE`
`unmount`	`STATUS_UPDATE`
`profile_add`	`SETTING_CREATION`
`profile_remove`	`SETTING_DELETION`
`remount`	`RESOURCE_CREATION`
`screensharing_attach`	`USER_LOGIN`
`screensharing_detach`	`USER_LOGOUT`
`settime`	`STATUS_UPDATE`
`su`	`USER_LOGIN`
`xp_malware_detected`	`SCAN_FILE`
`xp_malware_remediated`	`SCAN_FILE`

Referencia de asignación de campos: JAMF_TELEMETRY_V2 - Common Fields

En la siguiente tabla se enumeran los campos habituales del tipo de registro JAMF_TELEMETRY_V2 y sus campos de UDM correspondientes.

Log field	UDM mapping	Logic
`action.result.result.auth`	`security_result.action`	If the event_type log field value is < `8000`, and not equal to `113` or `112`, and the action.result.result.auth field is equal to 1, then set `security_result.action` to BLOCK. Else, set `security_result.action` to ALLOW
	`principal.platform`	The `principal.platform` UDM field is set to `MAC`.
`uuid`	`metadata.product_log_id`
`time`	`metadata.event_timestamp`
`metadata.product`	`metadata.product_name`
`host.protectVersion`	`metadata.product_version`
`metadata.vendor`	`metadata.vendor_name`
`host.hostname`	`principal.asset.hostname`
`host.os`	`principal.platform_version`
`host.provisioningUDID`	`principal.asset_id`
`host.serial`	`principal.asset.hardware.serial_number`
`host.ips`	`principal.ip`	Iterate through log field `host.ips`, then `host.ips` log field is mapped to the `principal.ip` UDM field.
`event_type`	`additional.fields[event_type]`
`global_seq_num`	`additional.fields[global_seq_num]`
`process.executable.path`	`src.process.file.full_path`
`process.executable.stat.st_dev`	`src.process.file.stat_dev`
`process.executable.stat.st_flags`	`src.process.file.stat_flags`
`process.executable.stat.st_ino`	`src.process.file.stat_inode`
`process.executable.stat.st_mode`	`src.process.file.stat_mode`
`process.executable.stat.st_mtimespec`	`src.process.file.last_modification_time`
`process.executable.stat.st_atimespec`	`src.process.file.last_access_time`
`process.executable.stat.st_nlink`	`src.process.file.stat_nlink`
`process.executable.stat.st_size`	`src.process.file.size`
`process.executable.sha256`	`src.process.file.sha256`
`process.executable.sha1`	`src.process.file.sha1`
`process.signing_id`	`src.process.file.signature_info.codesign.id`
`process.team_id`	`additional.fields[process_team_id]`
`process.ppid`	`additional.fields[process_ppid]`
`process.codesigning_flags`	`additional.fields[process_codesigning_flags]`
`process.cdhash`	`additional.fields[process_cdhash]`
`process.is_platform_binary`	`additional.fields[process_is_platform_binary]`
`process.is_es_client`	`additional.fields[process_is_es_client]`
`process.group_id`	`additional.fields[process_group_id]`
`process.original_ppid`	`additional.fields[process_original_ppid]`
`process.session_id`	`additional.fields[process_session_id]`
`thread.uuid`	`additional.fields[thread_uuid]`
`thread.thread_id`	`additional.fields[thread_id]`
`seq_num`	`additional.fields[seq_num]`
`mach_time`	`additional.fields[mach_time]`
`version`	`additional.fields[version]`
`process.audit_token.euid`	`src.process.euid`
`process.audit_token.ruid`	`src.process.ruid`
`process.audit_token.egid`	`src.process.egid`
`process.audit_token.rgid`	`src.process.rgid`
`process.audit_token.pgid`	`src.process.pgid`
`process.audit_token.pid`	`src.process.pid`
`process.audit_token.uuid`	`src.process.product_specific_process_id`
`process.audit_token.signing_id`	`additional.fields[process_audit_token_signing_id]`
`process.parent_audit_token.euid`	`src.process.parent_process.euid`
`process.parent_audit_token.ruid`	`src.process.parent_process.ruid`
`process.parent_audit_token.egid`	`src.process.parent_process.egid`
`process.parent_audit_token.rgid`	`src.process.parent_process.rgid`
`process.parent_audit_token.pgid`	`src.process.parent_process.pgid`
`process.parent_audit_token.pid`	`src.process.parent_process.pid`
`process.parent_audit_token.uuid`	`src.process.parent_process.product_specific_process_id`
`process.parent_audit_token.signing_id`	`src.process.parent_process.file.signature_info.codesign.id`

Referencia de asignación de campos: campos de registro sin procesar a campos de UDM por `event_type`.

`event_type: remount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `remount`.
	`metadata.description`	`A file system has been remounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `RESOURCE_CREATION`.
	`principal.user.userid`	The `principal.user.userid` UDM field is set to `null`.
`event.remount.statfs.f_owner`	`target.user.userid`
`event.remount.device.size`	`target.file.size`
`event.remount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.remount.statfs.f_mntfromname`	`src.resource.name`
`event.remount.statfs.f_mntonname`	`target.resource.name`

`event_type: screensharing_attach`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `screensharing_attach`.
	`metadata.description`	`A screen sharing session has attached to a graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
`event.screensharing_attach.source_address`	`src.ip`
`event.screensharing_attach.authentication_username`	`target.user.user_display_name`
`event.screensharing_attach.session_username`	`principal.user.user_display_name`
`event.screensharing_attach.viewer_appleid`	`additional.fields[screensharing_attach.viewer_appleid]`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.
	`security_result.category`	If the `event.screensharing_attach.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: su`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `su`.
	`metadata.description`	`A user attempts to start a new shell using a substitute user identity.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.su.argv`	`target.process.command_line`	If the `event.su.argc` log field value is not equal to `0` then, iterate through log field `event.su.argv`, then `event.su.argv` log field is mapped to the `target.process.command_line` UDM field.
`event.su.to_uid`	`target.user.userid`
`event.su.to_username`	`target.user.user_display_name`
`event.su.from_uid`	`principal.user.userid`
`event.su.from_username`	`principal.user.user_display_name`

`event_type: settime`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `settime`.
	`metadata.description`	`The system time was attempted to be set.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.

`event_type: screensharing_detach`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `screensharing_detach`.
	`metadata.description`	`A screen sharing session has detached from a graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`target.user.user_display_name`	The `target.user.user_display_name` UDM field is set to `null`.
`event.screensharing_detach.source_address`	`src.ip`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `mechanism`.

`event_type: xp_malware_remediated`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `xp_malware_remediated`.
	`metadata.description`	`Apple's XProtect remediated malware on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_FILE`.
`action.result.result.auth`	`security_result.action`
`event.xp_malware_remediated.remediated_path`	`target.file.full_path`
`event.xp_malware_remediated.action_type`	`additional.fields[xp_malware_remediated.action_type]`
`event.xp_malware_remediated.success`	`additional.fields[xp_malware_remediated.success]`
`event.xp_malware_remediated.incident_identifier`	`security_result.threat_id`
`event.xp_malware_remediated.malware_identifier`	`security_result.threat_name`
`event.xp_malware_remediated.signature_version`	`security_result.rule_id`

`event_type: xp_malware_detected`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `xp_malware_detected`.
	`metadata.description`	`Apple's XProtect detected malware on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_FILE`.
`action.result.result.auth`	`security_result.action`
`event.xp_malware_detected.detected_path`	`target.file.full_path`
`event.xp_malware_detected.incident_identifier`	`security_result.threat_id`
`event.xp_malware_detected.malware_identifier`	`security_result.threat_name`

`event_type: authentication`

Log field	UDM mapping	Logic
	`Check additional fields in conf`
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `authentication`.
	`metadata.description`	`A user authentication has occurred.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
`event.authentication.data.od.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.od.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`	`JamfProtect:%{event.authentication.data.od.instigator.audit_token.uuid}` log field is mapped to the `principal.process.product_specific_process_id` UDM field.
`event.authentication.data.od.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.od.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.od.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.od.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.od.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.od.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.authentication.data.od.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.authentication.data.od.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.authentication.data.od.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.authentication.data.od.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.authentication.data.od.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.authentication.data.od.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`	`JamfProtect:%{event.authentication.data.od.instigator.parent_audit_token.uuid}` log field is mapped to the `principal.process.parent_process.product_specific_process_id` UDM field.
`event.authentication.data.od.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.od.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.od.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.od.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.od.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.od.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.od.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.od.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.od.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.od.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.od.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.od.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.od.instigator.signing_id`	`additional.fields[authentication_data_od_instigator_signing_id]`
`event.authentication.data.od.instigator.team_id`	`additional.fields[authentication_data_od_instigator_team_id]`
`event.authentication.data.od.instigator.ppid`	`rincipal.process.parent_process.pid`
`event.authentication.data.od.instigator.codesigning_flags`	`additional.fields[codesigning_flags]`
`event.authentication.data.od.instigator.cdhash`	`additional.fields[cdhash]`
`event.authentication.data.od.instigator.is_platform_binary`	`additional.fields[is_platform_binary]`
`event.authentication.data.od.instigator.is_es_client`	`additional.fields[is_es_client]`
`event.authentication.data.od.instigator.group_id`	`additional.fields[group_id]`
`event.authentication.data.od.instigator.original_ppid`	`additional.fields[original_ppid]`
`event.authentication.data.od.instigator.session_id`	`additional.fields[session_id]`
`event.authentication.data.touchid.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.touchid.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.touchid.instigator.audit_token.egid`	`principal.process.egid`
`event.authentication.data.touchid.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.touchid.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.touchid.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.touchid.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.authentication.data.touchid.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.touchid.instigator.parent_audit_token.euid`	`principal.parent_process.parent_process.euid`
`event.authentication.data.touchid.instigator.parent_audit_token.ruid`	`principal.parent_process.parent_process.ruid`
`event.authentication.data.touchid.instigator.parent_audit_token.egid`	`principal.parent_process.parent_process.egid`
`event.authentication.data.touchid.instigator.parent_audit_token.rgid`	`principal.parent_process.parent_process.rgid`
`event.authentication.data.touchid.instigator.parent_audit_token.pgid`	`principal.parent_process.parent_process.pgid`
`event.authentication.data.touchid.instigator.parent_audit_token.pid`	`principal.parent_process.parent_process.pid`
`event.authentication.data.touchid.instigator.parent_audit_token.uuid`	`principal.parent_process.product_specific_process_id`
`event.authentication.data.touchid.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.touchid.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.touchid.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.touchid.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.touchid.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.touchid.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.touchid.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.touchid.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.touchid.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.touchid.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.touchid.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.touchid.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.touchid.instigator.signing_id`	`additional.fields[authentication_data_touch_id_instigator_signing_id]`
`event.authentication.data.touchid.instigator.team_id`	`additional.fields[authentication_data_touch_id_instigator_team_id]`
`event.authentication.data.touchid.instigator.ppid`	`additional.fields[authentication_data_touch_id_instigator_ppid]`
`event.authentication.data.touchid.instigator.codesigning_flags`	`additional.fields[touchid_instigator_codesigning_flags]`
`event.authentication.data.touchid.instigator.cdhash`	`additional.fields[touchid_instigator_cdhash]`
`event.authentication.data.touchid.instigator.is_platform_binary`	`additional.fields[touchid_instigator_is_platform_binary]`
`event.authentication.data.touchid.instigator.is_es_client`	`additional.fields[touchid_instigator_is_es_client]`
`event.authentication.data.touchid.instigator.group_id`	`additional.fields[touchid_instigator_group_id]`
`event.authentication.data.touchid.instigator.original_ppid`	`additional.fields[touchid_instigator_original_ppid]`
`event.authentication.data.touchid.instigator.session_id`	`additional.fields[touchid_instigator_session_id]`
`event.authentication.data.token.instigator.audit_token.euid`	`principal.process.euid`
`event.authentication.data.token.instigator.audit_token.ruid`	`principal.process.ruid`
`event.authentication.data.token.instigator.audit_token.egid`	`principal.process.egid`
`event.authentication.data.token.instigator.audit_token.rgid`	`principal.process.rgid`
`event.authentication.data.token.instigator.audit_token.pgid`	`principal.process.pgid`
`event.authentication.data.token.instigator.audit_token.pid`	`principal.process.pid`
`event.authentication.data.token.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.authentication.data.token.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.authentication.data.token.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.authentication.data.token.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.authentication.data.token.instigator.parent_audit_token.egid`	`process.parent_process.egid`
`event.authentication.data.token.instigator.parent_audit_token.rgid`	`process.parent_process.rgid`
`event.authentication.data.token.instigator.parent_audit_token.pgid`	`process.parent_process.pgid`
`event.authentication.data.token.instigator.parent_audit_token.pid`	`process.parent_process.pid`
`event.authentication.data.token.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.authentication.data.token.instigator.parent_audit_token.signing_id`	`process.parent_process.file.signature_info.codesign.id`
`event.authentication.data.token.instigator.executable.path`	`principal.process.file.full_path`
`event.authentication.data.token.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.authentication.data.token.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.authentication.data.token.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.authentication.data.token.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.authentication.data.token.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.authentication.data.token.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.authentication.data.token.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.authentication.data.token.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.authentication.data.token.instigator.executable.sha256`	`principal.process.file.sha256`
`event.authentication.data.token.instigator.executable.sha1`	`principal.process.file.sha1`
`event.authentication.data.token.instigator.signing_id`	`additional.fields[authentication_data_token_instigator_signing_id]`
`event.authentication.data.token.instigator.team_id`	`additional.fields[authentication_data_token_instigator_team_id]`
`event.authentication.data.token.instigator.ppid`	`additional.fields[authentication_data_token_instigator_ppid]`
`event.authentication.data.token.instigator.codesigning_flags`	`additional.fields[instigator_codesigning_flags]`
`event.authentication.data.token.instigator.cdhash`	`additional.fields[instigator_cdhash]`
`event.authentication.data.token.instigator.is_platform_binary`	`additional.fields[instigator_is_platform_binary]`
`event.authentication.data.token.instigator.is_es_client`	`additional.fields[instigator_is_es_client]`
`event.authentication.data.token.instigator.group_id`	`additional.fields[instigator_group_id]`
`event.authentication.data.token.instigator.original_ppid`	`additional.fields[instigator_original_ppid]`
`event.authentication.data.token.instigator.session_id`	`additional.fields[instigator_session_id]`
`event.authentication.data.od.record_name`	`target.user.user_display_name`
`event.authentication.data.od.db_path`	`additional.fields[db_path]`
`event.authentication.data.od.node_name`	`additional.fields[node_name]`
`event.authentication.data.od.record_type`	`additional.fields[record_type]`
`event.authentication.data.touchid.uid`	`target.user.userid`
`event.authentication.data.touchid.touchid_mode`	`additional.fields[authentication_data_touchid_touchid_mode]`
`event.authentication.data.token.pubkey_hash`	`additional.fields[authentication_data_token_pubkey_hash]`
`event.authentication.data.token.token_id`	`additional.fields[authentication_data_token_token_id]`
`event.authentication.data.token.kerberos_principal`	`additional.fields[authentication_data_token_kerberos_principal]`
`event.authentication.data.auto_unlock.username`	`target.user.user_display_name`
`event.authentication.data.auto_unlock.type`	`additional.fields[authentication_data_auto_unlock_type]`
`event.authentication.type`	`extensions.auth.mechanism`	If the `event.authentication.type` log field value is equal to `0` then, the `extensions.auth.mechanism` UDM field is set to `USERNAME_PASSWORD`. Else If the `event.authentication.type` log field value is equal to `1` then, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_OTHER`. Else If the `event.authentication.type` log field value is equal to `2` then, the `extensions.auth.mechanism` UDM field is set to `HARDWARE_KEY`. Else, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_OTHER`.
`event.authentication.success`	`security_result.category`	If the `event.authentication.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: btm_launch_item_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `btm_launch_item_add`.
	`metadata.description`	`Apple's Background Task Manager notifies that a new persistence item has been added.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_LAUNCH`.
`event.btm_launch_item_add.instigator.audit_token.euid`	`principal.process.euid`
`event.btm_launch_item_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.btm_launch_item_add.instigator.audit_token.egid`	`principal.process.egid`
`event.btm_launch_item_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.btm_launch_item_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.btm_launch_item_add.instigator.audit_token.pid`	`principal.process.pid`
`event.btm_launch_item_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.btm_launch_item_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.btm_launch_item_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.btm_launch_item_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.btm_launch_item_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.btm_launch_item_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.btm_launch_item_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.btm_launch_item_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.btm_launch_item_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.btm_launch_item_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_add.instigator.executable.path`	`principal.process.file.full_path`
`event.btm_launch_item_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.btm_launch_item_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.btm_launch_item_add.instigator.executable.stat.stat_inode`	`principal.process.file.stat_inode`
`event.btm_launch_item_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.btm_launch_item_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.btm_launch_item_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.btm_launch_item_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.btm_launch_item_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.btm_launch_item_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.btm_launch_item_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.btm_launch_item_add.instigator.signing_id`	`additional.fields[btm_launch_item_add_data_token_instigator_signing_id]`
`event.btm_launch_item_add.instigator.team_id`	`additional.fields[btm_launch_item_add_data_token_instigator_team_id]`
`event.btm_launch_item_add.instigator.ppid`	`additional.fields[btm_launch_item_add_data_token_instigator_ppid]`
`event.btm_launch_item_add.instigator.codesigning_flags`	`additional.fields[btm_launch_item_add_instigator_codesigning_flags]`
`event.btm_launch_item_add.instigator.cdhash`	`additional.fields[btm_launch_item_add_instigator_cdhash]`
`event.btm_launch_item_add.instigator.is_platform_binary`	`additional.fields[btm_launch_item_add_instigator_is_platform_binary]`
`event.btm_launch_item_add.instigator.is_es_client`	`additional.fields[btm_launch_item_add_instigator_is_es_client]`
`event.btm_launch_item_add.instigator.group_id`	`additional.fields[btm_launch_item_add_instigator_group_id]`
`event.btm_launch_item_add.instigator.original_ppid`	`additional.fields[btm_launch_item_add_instigator_original_ppid]`
`event.btm_launch_item_add.instigator.session_id`	`additional.fields[btm_launch_item_add_instigator_session_id]`
`event.btm_launch_item_add.app.audit_token.euid`	`target.process.euid`
`event.btm_launch_item_add.app.audit_token.ruid`	`target.process.ruid`
`event.btm_launch_item_add.app.audit_token.egid`	`target.process.egid`
`event.btm_launch_item_add.app.audit_token.rgid`	`target.process.rgid`
`event.btm_launch_item_add.app.audit_token.pgid`	`target.process.pgid`
`event.btm_launch_item_add.app.audit_token.pid`	`target.process.pid`
`event.btm_launch_item_add.app.audit_token.uuid`	`target.process.product_specific_process_id`
`event.btm_launch_item_add.app.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`
`event.btm_launch_item_add.app.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.btm_launch_item_add.app.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.btm_launch_item_add.app.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.btm_launch_item_add.app.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.btm_launch_item_add.app.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.btm_launch_item_add.app.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.btm_launch_item_add.app.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_add.app.executable.path`	`target.process.file.full_path`
`event.btm_launch_item_add.app.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.btm_launch_item_add.app.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.btm_launch_item_add.app.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.btm_launch_item_add.app.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.btm_launch_item_add.app.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.btm_launch_item_add.app.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.btm_launch_item_add.app.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.btm_launch_item_add.app.executable.stat.st_size`	`target.process.file.size`
`event.btm_launch_item_add.app.executable.sha256`	`target.process.file.sha256`
`event.btm_launch_item_add.app.executable.sha1`	`target.process.file.sha1`
`event.btm_launch_item_add.app.signing_id`	`additional.fields[btm_launch_item_add_app_signing_id]`
`event.btm_launch_item_add.app.team_id`	`additional.fields[btm_launch_item_add_app_team_id]`
`event.btm_launch_item_add.app.ppid`	`additional.fields[btm_launch_item_add_app_ppid]`
`event.btm_launch_item_add.app.codesigning_flags`	`additional.fields[btm_launch_item_add_app_codesigning_flags]`
`event.btm_launch_item_add.app.cdhash`	`additional.fields[btm_launch_item_add_app_cdhash]`
`event.btm_launch_item_add.app.is_platform_binary`	`additional.fields[btm_launch_item_add_app_is_platform_binary]`
`event.btm_launch_item_add.app.is_es_client`	`additional.fields[btm_launch_item_add_app_is_es_client]`
`event.btm_launch_item_add.app.group_id`	`additional.fields[btm_launch_item_add_app_group_id]`
`event.btm_launch_item_add.app.original_ppid`	`additional.fields[btm_launch_item_add_app_group_id]`
`event.btm_launch_item_add.app.session_id`	`additional.fields[btm_launch_item_add_app_session_id]`
`event.btm_launch_item_add.executable_path`	`target.file.full_path`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `4` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `3` and if the `event.btm_launch_item_add.executable_path` log field value is `not empty` and if the `event.btm_launch_item_add.executable_path` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.executable_path` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_add.executable_path` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.executable_path}` log field is mapped to the `target.file.full_path` UDM field. Else If the `event.btm_launch_item_add.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_add.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_add.item.item_url` log field is mapped to the `target.resource.name` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url}` log field is mapped to the `target.resource.name` UDM field.
`event.btm_launch_item_add.item.item_url`	`target.file.full_path`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `0` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `1` or the `event.btm_launch_item_add.item.item_type` log field value is equal to `2` and if the `event.btm_launch_item_add.item.item_url` log field value is not empty and if the `event.btm_launch_item_add.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_add.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then the `event.btm_launch_item_add.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_add.item.app_url}%{event.btm_launch_item_add.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_add.item.uid`	`target.user.userid`
`event.btm_launch_item_add.item.item_type`	`target.application`	If the `event.btm_launch_item_add.item.item_type` log field value is equal to `0` then, the `target.application` UDM field is set to `USER_ITEM`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `1` then, the `target.application` UDM field is set to `APP`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `2` then, the `target.application` UDM field is set to `LOGIN_ITEM`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `3` then, the `target.application` UDM field is set to `AGENT`. Else, if `event.btm_launch_item_add.item.item_type` log field value is equal to `4` then, the `target.application` UDM field is set to `DAEMON`.
`event.btm_launch_item_add.item.managed`	`additional.fields[btm_launch_item_add_item_managed]`
`event.btm_launch_item_add.item.legacy`	`additional.fields[btm_launch_item_add_item_legacy]`

`event_type: btm_launch_item_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `btm_launch_item_remove`.
	`metadata.description`	`Apple's Background Task Manager notified that an item has been removed.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_TERMINATION`.
`event.btm_launch_item_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.btm_launch_item_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.btm_launch_item_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.btm_launch_item_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.btm_launch_item_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.btm_launch_item_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.btm_launch_item_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.btm_launch_item_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.btm_launch_item_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.btm_launch_item_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.btm_launch_item_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.btm_launch_item_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.btm_launch_item_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.btm_launch_item_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.btm_launch_item_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.btm_launch_item_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.btm_launch_item_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.btm_launch_item_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.btm_launch_item_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.btm_launch_item_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.btm_launch_item_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.btm_launch_item_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.btm_launch_item_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.btm_launch_item_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.btm_launch_item_remove.instigator.codesigning_flags`	`additional.fields[btm_launch_item_remove_instigator_codesigning_flags]`
`event.btm_launch_item_remove.instigator.cdhash`	`additional.fields[btm_launch_item_remove_instigator_cdhash]`
`event.btm_launch_item_remove.instigator.is_es_client`	`additional.fields[btm_launch_item_remove_instigator_is_es_client]`
`event.btm_launch_item_remove.instigator.group_id`	`additional.fields[btm_launch_item_remove_instigator_group_id]`
`event.btm_launch_item_remove.instigator.original_ppid`	`additional.fields[btm_launch_item_remove_instigator_original_ppid]`
`event.btm_launch_item_remove.instigator.session_id`	`additional.fields[btm_launch_item_remove_instigator_session_id]`
`event.btm_launch_item_remove.app.audit_token.euid`	`target.process.euid`
`event.btm_launch_item_remove.app.audit_token.ruid`	`target.process.ruid`
`event.btm_launch_item_remove.app.audit_token.egid`	`target.process.egid`
`event.btm_launch_item_remove.app.audit_token.rgid`	`target.process.rgid`
`event.btm_launch_item_remove.app.audit_token.pgid`	`target.process.pgid`
`event.btm_launch_item_remove.app.audit_token.pid`	`target.process.pid`
`event.btm_launch_item_remove.app.audit_token.uuid`	`target.process.product_specific_process_id`
`event.btm_launch_item_remove.app.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`
`event.btm_launch_item_remove.app.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.btm_launch_item_remove.app.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.btm_launch_item_remove.app.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.btm_launch_item_remove.app.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.btm_launch_item_remove.app.parent_audit_token.pgid`	`target.process.parent_process.pgid`
`event.btm_launch_item_remove.app.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.btm_launch_item_remove.app.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.btm_launch_item_remove.app.executable.path`	`target.process.file.full_path`
`event.btm_launch_item_remove.app.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.btm_launch_item_remove.app.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.btm_launch_item_remove.app.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.btm_launch_item_remove.app.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.btm_launch_item_remove.app.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.btm_launch_item_remove.app.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.btm_launch_item_remove.app.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.btm_launch_item_remove.app.executable.stat.st_size`	`target.process.file.size`
`event.btm_launch_item_remove.app.executable.sha256`	`target.process.file.sha256`
`event.btm_launch_item_remove.app.executable.sha1`	`target.process.file.sha1`
`event.btm_launch_item_remove.app.signing_id`	`additional.fields[btm_launch_item_remove_app_signing_id]`
`event.btm_launch_item_remove.app.team_id`	`additional.fields[btm_launch_item_remove_app_team]`
`event.btm_launch_item_remove.app.ppid`	`additional.fields[btm_launch_item_remove_app_ppid]`
`event.btm_launch_item_remove.app.codesigning_flags`	`additional.fields[btm_launch_item_remove_app_codesigning_flags]`
`event.btm_launch_item_remove.app.cdhash`	`additional.fields[btm_launch_item_remove_app_cdhash]`
`event.btm_launch_item_remove.app.is_platform_binary`	`additional.fields[additional.fields[btm_launch_item_remove_app_cdhash]]`
`event.btm_launch_item_remove.app.is_es_client`	`additional.fields[additional.fields[btm_launch_item_remove_app_is_es_client]]`
`event.btm_launch_item_remove.app.group_id`	`additional.fields[additional.fields[btm_launch_item_remove_app_group_id]]`
`event.btm_launch_item_remove.app.original_ppid`	`additional.fields[additional.fields[btm_launch_item_remove_app_original_ppid]]`
`event.btm_launch_item_remove.app.session_id`	`additional.fields[additional.fields[btm_launch_item_remove_app_session_id]]`
`event.btm_launch_item_remove.item.app_url`	`target.file.full_path`	If the `event.btm_launch_item_remove.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_remove.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_remove.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_remove.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_remove.item.item_url`	`target.file.full_path`	If the `event.btm_launch_item_remove.item.item_url` log field value is `not empty` and if the `event.btm_launch_item_remove.item.item_url` log field value matches the regular expression pattern `/^file:./` or the `event.btm_launch_item_remove.item.item_url` log field value does not match the regular expression pattern `/^[a-zA-Z0-9]` then, `event.btm_launch_item_remove.item.item_url` log field is mapped to the `target.file.full_path` UDM field. Else, `%{event.btm_launch_item_remove.item.app_url}%{event.btm_launch_item_remove.item.item_url}` log field is mapped to the `target.file.full_path` UDM field.
`event.btm_launch_item_remove.item.uid`	`target.user.userid`
`event.btm_launch_item_remove.executable_path`	`target.file.full_path`
`event.btm_launch_item_remove.item.item_type`	`target.application`	If the `event.btm_launch_item_remove.item.item_type` log field value is equal to `0` then, the `target.application` UDM field is set to `USER_ITEM`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `1` then, the `target.application` UDM field is set to `APP`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `2` then, the `target.application` UDM field is set to `LOGIN_ITEM`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `3` then, the `target.application` UDM field is set to `AGENT`. Else, if `event.btm_launch_item_remove.item.item_type` log field value is equal to `4` then, the `target.application` UDM field is set to `DAEMON`.
`event.btm_launch_item_remove.item.managed`	`additional.fields[btm_launch_item_remove_item_managed]`
`event.btm_launch_item_remove.item.legacy`	`additional.fields[btm_launch_item_remove_item_legacy]`
`event.btm_launch_item_remove.app.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`

`event_type: chroot`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `chroot`.
	`metadata.description`	`A piece of software has changed its apparent root directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `FILE_MODIFICATION`.
`event.chroot.target.path`	`target.file.full_path`
`event.chroot.target.stat.st_dev`	`target.file.stat_dev`
`event.chroot.target.stat.st_flags`	`target.file.stat_flags`
`event.chroot.target.stat.st_ino`	`target.file.stat_inode`
`event.chroot.target.stat.st_mode`	`target.file.stat_mode`
`event.chroot.target.stat.st_mtimespec`	`target.file.last_modification_time`
`event.chroot.target.stat.st_atimespec`	`target.file.last_access_time`
`event.chroot.target.stat.st_nlink`	`target.file.stat_nlink`
`event.chroot.target.stat.st_size`	`target.file.size`
`event.chroot.target.sha256`	`target.file.sha256`
`event.chroot.target.sha1`	`target.file.sha1`

`event_type: exec`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `exec`.
	`metadata.description`	`An executable has been loaded into memory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_LAUNCH`.
`process.responsible_audit_token.euid`	`principal.process.euid`
`process.responsible_audit_token.ruid`	`principal.process.ruid`
`process.responsible_audit_token.egid`	`principal.process.egid`
`process.responsible_audit_token.rgid`	`principal.process.rgid`
`process.responsible_audit_token.pgid`	`principal.process.pgid`
`process.responsible_audit_token.pid`	`principal.process.pid`
`process.responsible_audit_token.uuid`	`principal.process.product_specific_process_id`
`process.responsible_audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.exec.target.audit_token.euid`	`target.process.euid`
`event.exec.target.audit_token.ruid`	`target.process.ruid`
`event.exec.target.audit_token.egid`	`target.process.egid`
`event.exec.target.audit_token.rgid`	`target.process.rgid`
`event.exec.target.audit_token.pgid`	`target.process.pgid`
`event.exec.target.audit_token.pid`	`target.process.pid`
`event.exec.target.audit_token.uuid`	`target.process.product_specific_process_id`
`event.exec.target.parent_audit_token.euid`	`target.process.parent_process.euid`
`event.exec.target.parent_audit_token.ruid`	`target.process.parent_process.ruid`
`event.exec.target.parent_audit_token.egid`	`target.process.parent_process.egid`
`event.exec.target.parent_audit_token.rgid`	`target.process.parent_process.rgid`
`event.exec.target.parent_audit_token.pgid`	`target.process.parent_process.pgid`
`event.exec.target.parent_audit_token.pid`	`target.process.parent_process.pid`
`event.exec.target.parent_audit_token.uuid`	`target.process.parent_process.product_specific_process_id`
`event.exec.target.parent_audit_token.signing_id`	`target.process.parent_process.file.signature_info.codesign.id`
`event.exec.target.executable.path`	`target.process.file.full_path`
`event.exec.target.executable.stat.st_dev`	`target.process.file.stat_dev`
`event.exec.target.executable.stat.st_flags`	`target.process.file.stat_flags`
`event.exec.target.executable.stat.st_ino`	`target.process.file.stat_inode`
`event.exec.target.executable.stat.st_mode`	`target.process.file.stat_mode`
`event.exec.target.executable.stat.st_mtimespec`	`target.process.file.last_modification_time`
`event.exec.target.executable.stat.st_atimespec`	`target.process.file.last_access_time`
`event.exec.target.executable.stat.st_nlink`	`target.process.file.stat_nlink`
`event.exec.target.executable.stat.st_size`	`target.process.file.size`
`event.exec.target.executable.sha256`	`target.process.file.sha256`
`event.exec.target.executable.sha1`	`target.process.file.sha1`
`event.exec.target.signing_id`	`additional.fields[exec_target_signing_id]`
`event.exec.target.team_id`	`additional.fields[exec_target_team_id]`
`event.exec.target.ppid`	`additional.fields[exec_target_ppid]`
`event.exec.target.codesigning_flags`	`additional.fields[exec_target_codesigning_flags]`
`event.exec.target.cdhash`	`additional.fields[exec_target_cdhash]`
`event.exec.target.is_platform_binary`	`additional.fields[exec_target_is_platform_binary]`
`event.exec.target.is_es_client`	`additional.fields[exec_target_is_es_client]`
`event.exec.target.group_id`	`additional.fields[exec_target_group_id]`
`event.exec.target.original_ppid`	`additional.fields[exec_target_original_ppid]`
`event.exec.target.session_id`	`additional.fields[exec_target_session_id]`
`event.exec.args`	`target.process.command_line`
`event.exec.cwd.path`	`additional.fields[exec_cwd_path]`
`event.exec.dyld_exec_path`	`additional.fields[exec_dyld_exec_path]`
`event.exec.script.path`	`additional.fields[exec_script_path]`
`event.exec.tty.path`	`additional.fields[exec_tty_path]`
`event.exec.image_cpusubtype`	`additional.fields[exec_image_cpusubtype]`
`event.exec.image_cputype`	`additional.fields[exec_image_cputype]`
`event.exec.target.audit_token.signing_id`	`target.process.file.signature_info.codesign.id`

`event_type: file_collection`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `file_collection`.
	`metadata.description`	`Event occurs when data from a Diagnsostic or Crash Report file is collected from the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.file_collection.path`	`target.file.path`
`event.file_collection.size`	`target.file.size`
`event.file_collection.contents`	`additional.fields[file_collection_contents]`

`event_type: kextload`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `kextload`.
	`metadata.description`	`A kernel extension (kext) was loaded.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.kextload.identifier`	`target.resource.name`

`event_type: kextunload`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `kextunload`.
	`metadata.description`	`A kernel extension (kext) was unloaded.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.kextunload.identifier`	`target.resource.name`

`event_type: log_collection`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `log_collection`.
	`metadata.description`	`Collection of entries from a local log file.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.log_collection.texts`	`target.file.names`
`event.log_collection.path.0`	`target.file.full_path`

`event_type: login_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `login_login`.
	`metadata.description`	`A user attempted to log in via /usr/bin/login.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.login_login.uid`	`target.user.userid`
`event.login_login.username`	`target.user.user_display_name`
`event.login_login.success`	`security_result.category`	If the `event.login_login.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.
`event.login_login.failure_message`	`security_result.category_details`	If the `event.login_login.success` log field value is equal to `false` then, `event.login_login.failure_message` log field is mapped to the `security_result.category_details` UDM field.

`event_type: login_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `login_logout`.
	`metadata.description`	`A user logged out via /usr/bin/login.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.login_logout.uid`	`target.user.userid`
`event.login_logout.username`	`target.user.user_display_name`

`event_type: lw_session_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_login`.
	`metadata.description`	`A user has logged in via the Login Window.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_login.username`	`target.user.user_display_name`

`event_type: bios_uefi`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `bios_uefi`.
	`metadata.description`	`Information about the current version of bios and uefi on the device.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.bios_uefi.firmware-version`	`additional.fields[bios_uefi_firmware_version]`
`event.bios_uefi.system-firmware-version`	`additional.fields[bios_uefi_system_firmware_version]`
`event.bios_uefi.architecture`	`additional.fields[bios_uefi_architecture]`
`event.bios_uefi.bios.firmware-version`	`additional.fields[bios_uefi_bios_firmware_version]`
`event.bios_uefi.bios.vendor`	`additional.fields[bios_uefi_bios_vendor]`
`event.bios_uefi.bios.firmware-features`	`additional.fields[bios_uefi_bios_firmware_features]`
`event.bios_uefi.bios.rom-size`	`additional.fields[bios_uefi_bios_rom_size]`
`event.bios_uefi.bios.booter-version`	`additional.fields[bios_uefi_bios_booter_version]`

`event_type: cs_invalidated`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `cs_invalidated`.
	`metadata.description`	`A process has had its code signature marked as invalid.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.

`event_type: gatekeeper_user_override`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `gatekeeper_user_override`.
	`metadata.description`	`A user overrides Gatekeeper.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.gatekeeper_user_override.file.path`	`target.file.full_path`
`event.gatekeeper_user_override.file.stat.st_dev`	`target.file.stat_dev`
`event.gatekeeper_user_override.file.stat.st_flags`	`target.file.stat_flags`
`event.gatekeeper_user_override.file.stat.st_ino`	`target.file.stat_inode`
`event.gatekeeper_user_override.file.stat.st_mode`	`target.file.stat_mode`
`event.gatekeeper_user_override.file.stat.st_mtimespec`	`target.file.last_modification_time`
`event.gatekeeper_user_override.file.stat.st_atimespec`	`target.file.last_access_time`
`event.gatekeeper_user_override.file.stat.st_nlink`	`target.file.stat_nlink`
`event.gatekeeper_user_override.file.stat.st_size`	`target.file.size`
`event.gatekeeper_user_override.file.sha256`	`target.file.sha256`
`event.gatekeeper_user_override.file.sha1`	`target.file.sha1`
`event.gatekeeper_user_override.signing_info.signing_id`	`additional.fields[exec_gatekeeper_user_override_signing_info_signing_id]`
`event.gatekeeper_user_override.signing_info.team_id`	`additional.fields[gatekeeper_user_override_signing_info_team_id]`
`event.gatekeeper_user_override.signing_info.cdhash`	`additional.fields[gatekeeper_user_override_signing_info_cdhash]`
`event.gatekeeper_user_override.file_type`	`additional.fields[gatekeeper_user_override_file_type]`
`event.gatekeeper_user_override.sha256`	`additional.fields[gatekeeper_user_override_sha256]`

`event_type: lw_session_unlock`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_unlock`.
	`metadata.description`	`A user has unlocked the screen from the Login Window.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_unlock.username`	`target.user.user_display_name`

`event_type: lw_session_lock`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_lock`.
	`metadata.description`	`A user has locked the screen.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_lock.username`	`target.user.user_display_name`

`event_type: lw_session_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `lw_session_logout`.
	`metadata.description`	`A user has logged out of an active graphical session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`extensions.auth.type`	The `extensions.auth.type` UDM field is set to `MACHINE`.
`event.lw_session_logout.username`	`target.user.user_display_name`

`event_type: mount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `mount`.
	`metadata.description`	`A file system has been mounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.mount.statfs.f_owner`	`principal.user.userid`
`event.mount.device.size`	`target.file.size`
`event.mount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.mount.statfs.f_mntfromname`	`src.resource.name`
`event.mount.statfs.f_mntonname`	`target.resource.name`
`event.mount.device.protocol`	`additional.fields[mount_device_protocol]`
`event.mount.disposition`	`additional.fields[mount_disposition]`
`event.mount.device.serial_number`	`target.asset.hardware.serial_number`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.serial_number` log field is mapped to the `target.asset.hardware.serial_number` UDM field.
`event.mount.device.vendor_name`	`target.asset.hardware.manufacturer`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.vendor_name` log field is mapped to the `target.asset.hardware.manufacturer` UDM field.
`event.mount.device.device_model`	`target.asset.hardware.model`	If the `event.mount.device.serial_number` log field value is `not empty` or the `event.mount.device.vendor_name` log field value is `not empty` or the `event.mount.device.device_model` log field value is `not empty` then, `event.mount.device.device_model` log field is mapped to the `target.asset.hardware.model` UDM field.

`event_type: od_attribute_set`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_set`.
	`metadata.description`	`Attribute set on user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_RESOURCE_UPDATE_CONTENT`.
`event.od_attribute_set.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_set.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_set.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_set.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_set.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_set.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_set.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_set.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_set.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_set.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_set.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_set.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_set.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_set.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_set.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_set.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_set.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_set.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_set.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_set.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_set.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_set.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_set.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_set.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_set.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_set.instigator.signing_id`	`additional.fields[od_attribute_set_instigator_signing_id]`
`event.od_attribute_set.instigator.team_id`	`additional.fields[od_attribute_set_instigator_team_id]`
`event.od_attribute_set.instigator.ppid`	`additional.fields[od_attribute_set_instigator_codesigning_flags]`
`event.od_attribute_set.instigator.codesigning_flags`	`additional.fields[od_attribute_set_instigator_ppid]`
`event.od_attribute_set.instigator.cdhash`	`additional.fields[od_attribute_set_instigator_cdhash]`
`event.od_attribute_set.instigator.is_platform_binary`	`additional.fields[od_attribute_set_instigator_is_platform_binary]`
`event.od_attribute_set.instigator.is_es_client`	`additional.fields[od_attribute_set_instigator_is_es_client]`
`event.od_attribute_set.instigator.group_id`	`additional.fields[od_attribute_set_instigator_group_id]`
`event.od_attribute_set.instigator.original_ppid`	`additional.fields[od_attribute_set_instigator_original_ppid]`
`event.od_attribute_set.instigator.session_id`	`additional.fields[od_attribute_set_instigator_session_id]`
`event.od_attribute_set.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_add.attribute_value`	`target.resource.name`
`event.od_attribute_set.record_name`	`target.user.user_display_name`
`event.od_attribute_set.instigator_token.euid`	`principal.user.userid`
`event.od_attribute_set.db_path`	`additional.fields[event_od_attribute_set_db_path]`
`event.od_attribute_set.node_name`	`additional.fields[event_od_attribute_set_node_name]`
`event.od_attribute_set.record_type`	`additional.fields[event_od_attribute_set_record_type]`
`event.od_attribute_set.error_code`	`additional.fields[event_od_attribute_set_error_code]`

`event_type: od_attribute_value_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_value_add`.
	`metadata.description`	`Attribute set on user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.od_attribute_value_add.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_value_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_value_add.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_value_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_value_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_value_add.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_value_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_value_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_value_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_value_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_value_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_value_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_value_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_value_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_value_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_value_add.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_value_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_value_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_value_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_value_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_value_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_value_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_value_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_value_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_value_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_value_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_value_add.instigator.signing_id`	`additional.fields[od_attribute_value_add_instigator_signing_id]`
`event.od_attribute_value_add.instigator.team_id`	`additional.fields[od_attribute_value_add_instigator_team_id]`
`event.od_attribute_value_add.instigator.ppid`	`additional.fields[od_attribute_value_add_instigator_ppid]`
`event.od_attribute_value_add.instigator.codesigning_flags`	`additional.fields[od_attribute_set_instigator_codesigning_flags]`
`event.od_attribute_value_add.instigator.cdhash`	`additional.fields[od_attribute_value_add_instigator_codesigning_flags]`
`event.od_attribute_value_add.instigator.is_platform_binary`	`additional.fields[od_attribute_set_instigator_is_platform_binary]`
`event.od_attribute_value_add.instigator.is_es_client`	`additional.fields[od_attribute_value_add_instigator_is_es_client]`
`event.od_attribute_value_add.instigator.group_id`	`additional.fields[od_attribute_value_add_instigator_group_id]`
`event.od_attribute_value_add.instigator.original_ppid`	`additional.fields[od_attribute_value_add_instigator_original_pp]`
`event.od_attribute_value_add.instigator.session_id`	`additional.fields[od_attribute_value_add_instigator_session_id]`
`event.od_attribute_value_add.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_add.attribute_value`	`target.resource.name`
`event.od_attribute_value_add.record_name`	`target.user.user_display_name`
`event.od_attribute_value_add.db_path`	`additional.fields[od_attribute_value_add_db_path]`
`event.od_attribute_value_add.node_name`	`additional.fields[od_attribute_value_add_node_name]`
`event.od_attribute_value_add.record_type`	`additional.fields[od_attribute_value_add_record_type]`
`event.od_attribute_value_add.error_code`	`additional.fields[od_attribute_value_add_error_code]`

`event_type: od_attribute_value_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_attribute_value_remove`.
	`metadata.description`	`Attribute removed from a user or group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_RESOURCE_DELETION`.
`event.od_attribute_value_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.od_attribute_value_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_attribute_value_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.od_attribute_value_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_attribute_value_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_attribute_value_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.od_attribute_value_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_attribute_value_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_attribute_value_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_attribute_value_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_attribute_value_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_attribute_value_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_attribute_value_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_attribute_value_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_attribute_value_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_attribute_value_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_attribute_value_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.od_attribute_value_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_attribute_value_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_attribute_value_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_attribute_value_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_attribute_value_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_attribute_value_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_attribute_value_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_attribute_value_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_attribute_value_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_attribute_value_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_attribute_value_remove.instigator.codesigning_flags`	`additional.fields[od_attribute_value_remove_instigator_codesigning_flags]`
`event.od_attribute_value_remove.instigator.cdhash`	`additional.fields[od_attribute_value_remove_instigator_codesigning_flags]`
`event.od_attribute_value_remove.instigator.is_platform_binary`	`additional.fields[od_attribute_value_remove_instigator_is_platform_binary]`
`event.od_attribute_value_remove.instigator.is_es_client`	`additional.fields[od_attribute_value_remove_instigator_is_es_client]`
`event.od_attribute_value_remove.instigator.group_id`	`additional.fields[od_attribute_value_remove_instigator_group_id]`
`event.od_attribute_value_remove.instigator.original_ppid`	`additional.fields[od_attribute_value_remove_instigator_original_pp]`
`event.od_attribute_value_remove.instigator.session_id`	`additional.fields[od_attribute_value_remove_instigator_session_id]`
`event.od_attribute_value_remove.attribute_name`	`target.resource.resource_subtype`
`event.od_attribute_value_remove.attribute_value`	`target.resource.name`
`event.od_attribute_value_remove.record_name`	`target.user.user_display_name`
`event.od_attribute_value_remove.db_path`	`additional.fields[od_attribute_value_remove_db_path]`
`event.od_attribute_value_remove.node_name`	`additional.fields[od_attribute_value_remove_node_name]`
`event.od_attribute_value_remove.record_type`	`additional.fields[od_attribute_value_remove_record_type]`
`event.od_attribute_value_remove.error_code`	`additional.fields[od_attribute_value_remove_error_code]`

`event_type: od_create_group`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_create_group`.
	`metadata.description`	`A group has been created using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_CREATION`.
`event.od_create_group.instigator.audit_token.euid`	`principal.process.euid`
`event.od_create_group.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_create_group.instigator.audit_token.egid`	`principal.process.egid`
`event.od_create_group.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_create_group.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_create_group.instigator.audit_token.pid`	`principal.process.pid`
`event.od_create_group.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_create_group.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_create_group.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_create_group.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_create_group.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_create_group.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_create_group.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_create_group.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_create_group.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_create_group.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_create_group.instigator.executable.path`	`principal.process.file.full_path`
`event.od_create_group.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_create_group.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_create_group.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_create_group.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_create_group.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_create_group.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_create_group.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_create_group.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_create_group.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_create_group.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_create_group.instigator.signing_id`	`additional.fields[od_create_group_instigator_signing_id]`
`event.od_create_group.instigator.team_id`	`additional.fields[od_create_group_instigator_team_id]`
`event.od_create_group.instigator.ppid`	`additional.fields[od_create_group_instigator_ppid]`
`event.od_create_group.instigator.codesigning_flags`	`additional.fields[od_create_group_instigator_codesigning_flags]`
`event.od_create_group.instigator.cdhash`	`additional.fields[od_create_group_instigator_cdhash]`
`event.od_create_group.instigator.is_platform_binary`	`additional.fields[od_create_group_instigator_is_platform_binary]`
`event.od_create_group.instigator.is_es_client`	`additional.fields[od_create_group_instigator_is_es_client]`
`event.od_create_group.instigator.group_id`	`additional.fields[od_create_group_instigator_group_id]`
`event.od_create_group.instigator.original_ppid`	`additional.fields[od_create_group_instigator_original_pp]`
`event.od_create_group.instigator.session_id`	`additional.fields[od_create_group_instigator_session_id]`
`event.od_create_group.group_name`	`target.group.group_display_name`
`event.od_create_group.instigator_token.euid`	`principal.user.userid`
`od_create_group.db_path`	`additional.fields[od_create_group_db_path]`
`event.od_create_group.node_name`	`additional.fields[od_create_group_node_name]`
`event.od_create_group.error_code`	`additional.fields[od_create_group_error_code]`

`event_type: od_delete_group`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_delete_group`.
	`metadata.description`	`A group has been deleted using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_DELETION`.
`event.od_delete_group.instigator.audit_token.euid`	`principal.process.euid`
`event.od_delete_group.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_delete_group.instigator.audit_token.egid`	`principal.process.egid`
`event.od_delete_group.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_delete_group.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_delete_group.instigator.audit_token.pid`	`principal.process.pid`
`event.od_delete_group.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_delete_group.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_delete_group.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_delete_group.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_delete_group.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_delete_group.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_delete_group.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_delete_group.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_delete_group.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_delete_group.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_delete_group.instigator.executable.path`	`principal.process.file.full_path`
`event.od_delete_group.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_delete_group.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_delete_group.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_delete_group.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_delete_group.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_delete_group.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_delete_group.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_delete_group.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_delete_group.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_delete_group.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_delete_group.instigator.signing_id`	`additional.fields[od_delete_group_instigator_signing_id]`
`event.od_delete_group.instigator.team_id`	`additional.fields[od_delete_group_instigator_team_id]`
`event.od_delete_group.instigator.ppid`	`additional.fields[od_delete_group_instigator_ppid]`
`event.od_delete_group.instigator.codesigning_flags`	`additional.fields[od_delete_group_instigator_codesigning_flags]`
`event.od_delete_group.instigator.cdhash`	`additional.fields[od_delete_group_instigator_cdhash]`
`event.od_delete_group.instigator.is_platform_binary`	`additional.fields[od_delete_group_instigator_is_platform_binary]`
`event.od_delete_group.instigator.is_es_client`	`additional.fields[od_delete_group_instigator_is_es_client]`
`event.od_delete_group.instigator.group_id`	`additional.fields[od_delete_group_instigator_group_id]`
`event.od_delete_group.instigator.original_ppid`	`additional.fields[od_delete_group_instigator_original_pp]`
`event.od_delete_group.instigator.session_id`	`additional.fields[od_delete_group_instigator_session_id]`
`event.od_delete_group.group_name`	`target.group.group_display_name`
`event.od_delete_group.instigator_token.euid`	`principal.user.userid`
`od_delete_group.db_path`	`additional.fields[od_delete_group_db_path]`
`event.od_delete_group.node_name`	`additional.fields[od_delete_group_node_name]`
`event.od_delete_group.error_code`	`additional.fields[od_delete_group_error_code]`

`event_type: od_create_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_create_user`.
	`metadata.description`	`A user has been created using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_CREATION`.
`event.od_create_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_create_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_create_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_create_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_create_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_create_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_create_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_create_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_create_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_create_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_create_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_create_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_create_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_create_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_create_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_create_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_create_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_create_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_create_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_create_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_create_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_create_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_create_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_create_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_create_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_create_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_create_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_create_user.instigator.signing_id`	`additional.fields[od_create_user_instigator_signing_id]`
`event.od_create_user.instigator.team_id`	`additional.fields[od_create_user_instigator_team_id]`
`event.od_create_user.instigator.ppid`	`additional.fields[od_create_user_instigator_ppid]`
`event.od_create_user.instigator.codesigning_flags`	`additional.fields[od_create_user_instigator_codesigning_flags]`
`event.od_create_user.instigator.cdhash`	`additional.fields[od_create_user_instigator_cdhash]`
`event.od_create_user.instigator.is_platform_binary`	`additional.fields[od_create_user_instigator_is_platform_binary]`
`event.od_create_user.instigator.is_es_client`	`additional.fields[od_create_user_instigator_is_es_client]`
`event.od_create_user.instigator.group_id`	`additional.fields[od_create_user_instigator_group_id]`
`event.od_create_user.instigator.original_ppid`	`additional.fields[od_create_user_instigator_original_pp]`
`event.od_create_user.instigator.session_id`	`additional.fields[od_create_user_instigator_session_id]`
`event.od_create_user.user_name`	`target.user.userid`
`event.od_create_user.instigator_token.euid`	`principal.user.userid`
`event.od_create_user.db_path`	`additional.fields[od_create_user_db_path]`
`event.od_create_user.node_name`	`additional.fields[od_create_user_node_name]`
`event.od_create_user.error_code`	`additional.fields[od_create_user_error_code]`

`event_type: od_delete_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_delete_user`.
	`metadata.description`	`A user has been deleted using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_DELETION`.
`event.od_delete_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_delete_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_delete_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_delete_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_delete_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_delete_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_delete_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_delete_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_delete_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_delete_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_delete_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_delete_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_delete_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_delete_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_delete_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_delete_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_delete_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_delete_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_delete_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_delete_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_delete_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_delete_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_delete_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_delete_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_delete_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_delete_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_delete_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_delete_user.instigator.signing_id`	`additional.fields[od_delete_user_instigator_signing_id]`
`event.od_delete_user.instigator.team_id`	`additional.fields[od_delete_user_instigator_team_id]`
`event.od_delete_user.instigator.ppid`	`additional.fields[od_delete_user_instigator_ppid]`
`event.od_delete_user.instigator.codesigning_flags`	`additional.fields[od_delete_user_instigator_codesigning_flags]`
`event.od_delete_user.instigator.cdhash`	`additional.fields[od_delete_user_instigator_cdhash]`
`event.od_delete_user.instigator.is_platform_binary`	`additional.fields[od_delete_user_instigator_is_platform_binary]`
`event.od_delete_user.instigator.is_es_client`	`additional.fields[od_delete_user_instigator_is_es_client]`
`event.od_delete_user.instigator.group_id`	`additional.fields[od_delete_user_instigator_group_id]`
`event.od_delete_user.instigator.original_ppid`	`additional.fields[od_delete_user_instigator_original_pp]`
`event.od_delete_user.instigator.session_id`	`additional.fields[od_delete_user_instigator_session_id]`
`event.od_delete_user.user_name`	`target.user.userid`
`event.od_delete_user.instigator_token.euid`	`principal.user.userid`
`event.od_delete_user.db_path`	`additional.fields[od_delete_user_db_path]`
`event.od_delete_user.node_name`	`additional.fields[od_delete_user_node_name]`
`event.od_delete_user.error_code`	`additional.fields[od_delete_user_error_code]`
`event.od_disable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`

`event_type: od_disable_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_disable_user`.
	`metadata.description`	`A user has been disabled using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`.
`event.od_disable_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_disable_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_disable_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_disable_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_disable_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_disable_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_disable_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_disable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_disable_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_disable_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_disable_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_disable_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_disable_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_disable_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_disable_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_disable_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_disable_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_disable_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_disable_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_disable_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_disable_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_disable_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_disable_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_disable_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_disable_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_disable_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_disable_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_disable_user.instigator.codesigning_flags`	`additional.fields[od_disable_user_instigator_codesigning_flags]`
`event.od_disable_user.instigator.cdhash`	`additional.fields[od_disable_user_instigator_codesigning_flags]`
`event.od_disable_user.instigator.is_platform_binary`	`additional.fields[od_disable_user_instigator_is_platform_binary]`
`event.od_disable_user.instigator.is_es_client`	`additional.fields[od_disable_user_instigator_is_es_client]`
`event.od_disable_user.instigator.group_id`	`additional.fields[od_disable_user_instigator_group_id]`
`event.od_disable_user.instigator.original_ppid`	`additional.fields[od_disable_user_instigator_original_pp]`
`event.od_disable_user.instigator.session_id`	`additional.fields[od_disable_user_instigator_session_id]`
`event.od_disable_user.user_name`	`target.user.user_display_name`
`event.od_disable_user.instigator_token.euid`	`principal.user.userid`
`event.od_disable_user.db_path`	`additional.fields[od_disable_user_db_path]`
`event.od_disable_user.node_name`	`additional.fields[od_disable_user_node_name]`
`event.od_disable_user.error_code`	`additional.fields[od_disable_user_error_code]`

`event_type: od_enable_user`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_enable_user`.
	`metadata.description`	`A user has been enabled using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`.
`event.od_enable_user.instigator.audit_token.euid`	`principal.process.euid`
`event.od_enable_user.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_enable_user.instigator.audit_token.egid`	`principal.process.egid`
`event.od_enable_user.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_enable_user.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_enable_user.instigator.audit_token.pid`	`principal.process.pid`
`event.od_enable_user.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_enable_user.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_enable_user.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_enable_user.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_enable_user.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_enable_user.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_enable_user.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_enable_user.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_enable_user.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_enable_user.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_enable_user.instigator.executable.path`	`principal.process.file.full_path`
`event.od_enable_user.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_enable_user.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_enable_user.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_enable_user.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_enable_user.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_enable_user.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_enable_user.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_enable_user.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_enable_user.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_enable_user.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_enable_user.instigator.signing_id`	`additional.fields[od_enable_user_instigator_signing_id]`
`event.od_enable_user.instigator.team_id`	`additional.fields[od_enable_user_instigator_team_id]`
`event.od_enable_user.instigator.ppid`	`additional.fields[od_enable_user_instigator_ppid]`
`event.od_enable_user.instigator.codesigning_flags`	`additional.fields[od_enable_user_instigator_codesigning_flags]`
`event.od_enable_user.instigator.cdhash`	`additional.fields[od_enable_user_instigator_cdhash]`
`event.od_enable_user.instigator.is_platform_binary`	`additional.fields[od_enable_user_instigator_is_platform_binary]`
`event.od_enable_user.instigator.is_es_client`	`additional.fields[od_enable_user_instigator_is_es_client]`
`event.od_enable_user.instigator.group_id`	`additional.fields[od_enable_user_instigator_group_id]`
`event.od_enable_user.instigator.original_ppid`	`additional.fields[od_enable_user_instigator_original_pp]`
`event.od_enable_user.instigator.session_id`	`additional.fields[od_enable_user_instigator_session_id]`
`event.od_enable_user.user_name`	`target.user.user_display_name`
`event.od_enable_user.instigator_token.euid`	`principal.user.userid`
`event.od_enable_user.db_path`	`additional.fields[od_enable_user_db_path]`
`event.od_enable_user.node_name`	`additional.fields[od_enable_user_node_name]`
`event.od_enable_user.error_code`	`additional.fields[od_enable_user_error_code]`

`event_type: od_group_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_add`.
	`metadata.description`	`A member has been added to a group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_add.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_add.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_add.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_add.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_add.instigator.signing_id`	`additional.fields[od_group_add_instigator_signing_id]`
`event.od_group_add.instigator.team_id`	`additional.fields[od_group_add_instigator_team_id]`
`event.od_group_add.instigator.ppid`	`additional.fields[od_group_add_instigator_ppid]`
`event.od_group_add.instigator.codesigning_flags`	`additional.fields[od_group_add_instigator_codesigning_flags]`
`event.od_group_add.instigator.cdhash`	`additional.fields[od_group_add_instigator_cdhash]`
`event.od_group_add.instigator.is_platform_binary`	`additional.fields[od_group_add_instigator_is_platform_binary]`
`event.od_group_add.instigator.is_es_client`	`additional.fields[od_group_add_instigator_is_es_client]`
`event.od_group_add.instigator.group_id`	`additional.fields[od_group_add_instigator_group_id]`
`event.od_group_add.instigator.original_ppid`	`additional.fields[od_group_add_instigator_original_pp]`
`event.od_group_add.instigator.session_id`	`additional.fields[od_group_add_instigator_session_id]`
`event.od_group_add.group_name`	`target.group.group_display_name`
`event.od_group_add.member.member_value`	`target.user.user_display_name`
`event.od_group_add.instigator_token.euid`	`principal.user.userid`
`event.od_group_add.db_path`	`additional.fields[od_group_add_db_path]`
`event.od_group_add.node_name`	`additional.fields[od_group_add_node_name]`
`event.od_group_add.error_code`	`additional.fields[od_group_add_error_code]`

`event_type: od_group_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_remove`.
	`metadata.description`	`A member has been removed from a group using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_remove.instigator.signing_id`	`additional.fields[od_group_remove_instigator_signing_id]`
`event.od_group_remove.instigator.team_id`	`additional.fields[od_group_remove_instigator_team_id]`
`event.od_group_remove.instigator.ppid`	`additional.fields[od_group_remove_instigator_ppid]`
`event.od_group_remove.instigator.codesigning_flags`	`additional.fields[od_group_remove_instigator_codesigning_flags]`
`event.od_group_remove.instigator.cdhash`	`additional.fields[od_group_remove_instigator_cdhash]`
`event.od_group_remove.instigator.is_platform_binary`	`additional.fields[od_group_remove_instigator_is_platform_binary]`
`event.od_group_remove.instigator.is_es_client`	`additional.fields[od_group_remove_instigator_is_es_client]`
`event.od_group_remove.instigator.group_id`	`additional.fields[od_group_remove_instigator_group_id]`
`event.od_group_remove.instigator.original_ppid`	`additional.fields[od_group_remove_instigator_original_pp]`
`event.od_group_remove.instigator.session_id`	`additional.fields[od_group_remove_instigator_session_id]`
`event.od_group_remove.group_name`	`target.group.group_display_name`
`event.od_group_remove.member.member_value`	`target.user.user_display_name`
`event.od_group_remove.instigator_token.euid`	`principal.user.userid`
`event.od_group_remove.db_path`	`additional.fields[od_group_remove_db_path]`
`event.od_group_remove.node_name`	`additional.fields[od_group_remove_node_name]`
`event.od_group_remove.error_code`	`additional.fields[od_group_remove_error_code]`

`event_type: od_group_set`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_group_set`.
	`metadata.description`	`A group has a member initialized or replaced using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GROUP_MODIFICATION`.
`event.od_group_set.instigator.audit_token.euid`	`principal.process.euid`
`event.od_group_set.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_group_set.instigator.audit_token.egid`	`principal.process.egid`
`event.od_group_set.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_group_set.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_group_set.instigator.audit_token.pid`	`principal.process.pid`
`event.od_group_set.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_group_set.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_group_set.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_group_set.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_group_set.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_group_set.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_group_set.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_group_set.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_group_set.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_group_set.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_group_set.instigator.executable.path`	`principal.process.file.full_path`
`event.od_group_set.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_group_set.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_group_set.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_group_set.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_group_set.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_group_set.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_group_set.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_group_set.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_group_set.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_group_set.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_group_set.instigator.signing_id`	`additional.fields[od_group_set_instigator_signing_id]`
`event.od_group_set.instigator.team_id`	`additional.fields[od_group_set_instigator_team_id]`
`event.od_group_set.instigator.ppid`	`additional.fields[od_group_set_instigator_ppid]`
`event.od_group_set.instigator.codesigning_flags`	`additional.fields[od_group_set_instigator_codesigning_flags]`
`event.od_group_set.instigator.cdhash`	`additional.fields[od_group_set_instigator_cdhash]`
`event.od_group_set.instigator.is_platform_binary`	`additional.fields[od_group_set_instigator_is_platform_binary]`
`event.od_group_set.instigator.is_es_client`	`additional.fields[od_group_set_instigator_is_es_client]`
`event.od_group_set.instigator.group_id`	`additional.fields[od_group_set_instigator_group_id]`
`event.od_group_set.instigator.original_ppid`	`additional.fields[od_group_set_instigator_original_pp]`
`event.od_group_set.instigator.session_id`	`additional.fields[od_group_set_instigator_session_id]`
`event.od_group_set.group_name`	`target.group.group_display_name`
`event.od_group_set.member.member_array`	`target.user.user_display_name`
`event.od_group_set.instigator_token.euid`	`principal.user.userid`
`event.od_group_set.db_path`	`additional.fields[od_group_set_db_path]`
`event.od_group_set.node_name`	`additional.fields[od_group_set_node_name]`
`event.od_group_set.error_code`	`additional.fields[od_group_set_error_code]`

`event_type: od_modify_password`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `od_modify_password`.
	`metadata.description`	`A group has a member initialized or replaced using Open Directory.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_CHANGE_PASSWORD`.
`event.od_modify_password.instigator.audit_token.euid`	`principal.process.euid`
`event.od_modify_password.instigator.audit_token.ruid`	`principal.process.ruid`
`event.od_modify_password.instigator.audit_token.egid`	`principal.process.egid`
`event.od_modify_password.instigator.audit_token.rgid`	`principal.process.rgid`
`event.od_modify_password.instigator.audit_token.pgid`	`principal.process.pgid`
`event.od_modify_password.instigator.audit_token.pid`	`principal.process.pid`
`event.od_modify_password.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.od_modify_password.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.od_modify_password.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.od_modify_password.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.od_modify_password.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.od_modify_password.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.od_modify_password.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.od_modify_password.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.od_modify_password.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.od_modify_password.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.od_modify_password.instigator.executable.path`	`principal.process.file.full_path`
`event.od_modify_password.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.od_modify_password.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.od_modify_password.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.od_modify_password.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.od_modify_password.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.od_modify_password.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.od_modify_password.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.od_modify_password.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.od_modify_password.instigator.executable.sha256`	`principal.process.file.sha256`
`event.od_modify_password.instigator.executable.sha1`	`principal.process.file.sha1`
`event.od_modify_password.instigator.signing_id`	`additional.fields[od_modify_password_instigator_signing_id]`
`event.od_modify_password.instigator.team_id`	`additional.fields[od_modify_password_instigator_team_id]`
`event.od_modify_password.instigator.ppid`	`additional.fields[od_modify_password_instigator_ppid]`
`event.od_modify_password.instigator.codesigning_flags`	`additional.fields[od_modify_password_instigator_codesigning_flags]`
`event.od_modify_password.instigator.cdhash`	`additional.fields[od_modify_password_instigator_cdhash]`
`event.od_modify_password.instigator.is_platform_binary`	`additional.fields[od_modify_password_instigator_is_platform_binary]`
`event.od_modify_password.instigator.is_es_client`	`additional.fields[od_modify_password_instigator_is_es_client]`
`event.od_modify_password.instigator.group_id`	`additional.fields[od_modify_password_instigator_group_id]`
`event.od_modify_password.instigator.original_ppid`	`additional.fields[od_modify_password_instigator_original_pp]`
`event.od_modify_password.instigator.session_id`	`additional.fields[od_modify_password_instigator_session_id]`
`event.od_modify_password.account_name`	`target.user.user_display_name`
`event.od_modify_password.instigator_token.euid`	`principal.user.userid`
`event.od_modify_password.db_path`	`additional.fields[od_modify_password_db_path]`
`event.od_modify_password.node_name`	`additional.fields[od_modify_password_node_name]`
`event.od_modify_password.error_code`	`additional.fields[od_modify_password_error_code]`

`event_type: openssh_login`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_login`.
	`metadata.description`	`A user has logged into the system via OpenSSH.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SSH`.
`event.openssh_login.source_address`	`src.ip`
`event.openssh_login.uid`	`target.user.userid`
`openssh_login.username`	`target.user.user_display_name`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.
`event.openssh_login.success`	`security_result.category`	If the `event.openssh_login.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: openssh_logout`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A user has logged out of an OpenSSH session.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGOUT`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SSH`.
`event.openssh_logout.source_address`	`src.ip`
`event.openssh_logout.uid`	`target.user.userid`
`openssh_logout.username`	`target.user.user_display_name`
	`extensions.auth.mechanism`	The `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.

`event_type: profile_add`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A configuration profile is installed on the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SETTING_CREATION`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `SETTING`.
`event.profile_add.instigator.audit_token.euid`	`principal.process.euid`
`event.profile_add.instigator.audit_token.ruid`	`principal.process.ruid`
`event.profile_add.instigator.audit_token.egid`	`principal.process.egid`
`event.profile_add.instigator.audit_token.rgid`	`principal.process.rgid`
`event.profile_add.instigator.audit_token.pgid`	`principal.process.pgid`
`event.profile_add.instigator.audit_token.pid`	`principal.process.pid`
`event.profile_add.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.profile_add.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.profile_add.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.profile_add.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.profile_add.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.profile_add.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.profile_add.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.profile_add.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.profile_add.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.profile_add.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.profile_add.instigator.executable.path`	`principal.process.file.full_path`
`event.profile_add.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.profile_add.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.profile_add.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.profile_add.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.profile_add.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.profile_add.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.profile_add.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.profile_add.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.profile_add.instigator.executable.sha256`	`principal.process.file.sha256`
`event.profile_add.instigator.executable.sha1`	`principal.process.file.sha1`
`event.profile_add.instigator.signing_id`	`additional.fields[profile_add_instigator_signing_id]`
`event.profile_add.instigator.team_id`	`additional.fields[profile_add_instigator_team_id]`
`event.profile_add.instigator.ppid`	`additional.fields[profile_add_instigator_ppid]`
`event.profile_add.instigator.codesigning_flags`	`additional.fields[profile_add_instigator_codesigning_flags]`
`event.profile_add.instigator.cdhash`	`additional.fields[profile_add_instigator_cdhash]`
`event.profile_add.instigator.is_platform_binary`	`additional.fields[profile_add_instigator_is_platform_binary]`
`event.profile_add.instigator.is_es_client`	`additional.fields[profile_add_instigator_is_es_client]`
`event.profile_add.instigator.group_id`	`additional.fields[profile_add_instigator_group_id]`
`event.profile_add.instigator.original_ppid`	`additional.fields[profile_add_instigator_original_pp]`
`event.profile_add.instigator.session_id`	`additional.fields[profile_add_instigator_session_id]`
`event.profile_add.profile.scope`	`target.resource.resource_subtype`
`event.profile_add.profile.uuid`	`target.resource.product_object_id`
`event.profile_add.profile.display_name`	`target.resource.name`
`event.profile_add.is_update`	`additional.fields[profile_add_is_update]`
`event.profile_add.profile.identifier`	`additional.fields[profile_add_profile_identifier]`
`event.profile_add.profile.install_source`	`additional.fields[profile_add_profile_install_source]`
`event.profile_add.profile.organization`	`additional.fields[profile_add_profile_organization]`

`event_type: profile_remove`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `openssh_logout`.
	`metadata.description`	`A configuration profile is removed from the system.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SETTING_DELETION`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `SETTING`.
`event.profile_remove.instigator.audit_token.euid`	`principal.process.euid`
`event.profile_remove.instigator.audit_token.ruid`	`principal.process.ruid`
`event.profile_remove.instigator.audit_token.egid`	`principal.process.egid`
`event.profile_remove.instigator.audit_token.rgid`	`principal.process.rgid`
`event.profile_remove.instigator.audit_token.pgid`	`principal.process.pgid`
`event.profile_remove.instigator.audit_token.pid`	`principal.process.pid`
`event.profile_remove.instigator.audit_token.uuid`	`principal.process.product_specific_process_id`
`event.profile_remove.instigator.audit_token.signing_id`	`principal.process.file.signature_info.codesign.id`
`event.profile_remove.instigator.parent_audit_token.euid`	`principal.process.parent_process.euid`
`event.profile_remove.instigator.parent_audit_token.ruid`	`principal.process.parent_process.ruid`
`event.profile_remove.instigator.parent_audit_token.egid`	`principal.process.parent_process.egid`
`event.profile_remove.instigator.parent_audit_token.rgid`	`principal.process.parent_process.rgid`
`event.profile_remove.instigator.parent_audit_token.pgid`	`principal.process.parent_process.pgid`
`event.profile_remove.instigator.parent_audit_token.pid`	`principal.process.parent_process.pid`
`event.profile_remove.instigator.parent_audit_token.uuid`	`principal.process.parent_process.product_specific_process_id`
`event.profile_remove.instigator.parent_audit_token.signing_id`	`principal.process.parent_process.file.signature_info.codesign.id`
`event.profile_remove.instigator.executable.path`	`principal.process.file.full_path`
`event.profile_remove.instigator.executable.stat.st_dev`	`principal.process.file.stat_dev`
`event.profile_remove.instigator.executable.stat.st_flags`	`principal.process.file.stat_flags`
`event.profile_remove.instigator.executable.stat.st_ino`	`principal.process.file.stat_inode`
`event.profile_remove.instigator.executable.stat.st_mode`	`principal.process.file.stat_mode`
`event.profile_remove.instigator.executable.stat.st_mtimespec`	`principal.process.file.last_modification_time`
`event.profile_remove.instigator.executable.stat.st_atimespec`	`principal.process.file.last_access_time`
`event.profile_remove.instigator.executable.stat.st_nlink`	`principal.process.file.stat_nlink`
`event.profile_remove.instigator.executable.stat.st_size`	`principal.process.file.size`
`event.profile_remove.instigator.executable.sha256`	`principal.process.file.sha256`
`event.profile_remove.instigator.executable.sha1`	`principal.process.file.sha1`
`event.profile_remove.instigator.signing_id`	`additional.fields[profile_remove_instigator_signing_id]`
`event.profile_remove.instigator.team_id`	`additional.fields[profile_remove_instigator_team_id]`
`event.profile_remove.instigator.ppid`	`additional.fields[profile_remove_instigator_ppid]`
`event.profile_remove.instigator.codesigning_flags`	`additional.fields[profile_remove_instigator_codesigning_flags]`
`event.profile_remove.instigator.cdhash`	`additional.fields[profile_remove_instigator_cdhash]`
`event.profile_remove.instigator.is_platform_binary`	`additional.fields[profile_remove_instigator_is_platform_binary]`
`event.profile_remove.instigator.is_es_client`	`additional.fields[profile_remove_instigator_is_es_client]`
`event.profile_remove.instigator.group_id`	`additional.fields[profile_remove_instigator_group_id]`
`event.profile_remove.instigator.original_ppid`	`additional.fields[profile_remove_instigator_original_pp]`
`event.profile_remove.instigator.session_id`	`additional.fields[profile_remove_instigator_session_id]`
`event.profile_remove.profile.scope`	`target.resource.resource_subtype`
`event.profile_remove.profile.uuid`	`target.resource.product_object_id`
`event.profile_remove.profile.display_name`	`target.resource.name`
`event.profile_remove.is_update`	`additional.fields[profile_remove_is_update]`
`event.profile_remove.profile.identifier`	`additional.fields[profile_remove_profile_identifier]`
`event.profile_remove.profile.install_source`	`additional.fields[profile_remove_profile_install_source]`
`event.profile_remove.profile.organization`	`additional.fields[profile_remove_profile_organization]`

`event_type: sudo`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `sudo`.
	`metadata.description`	`A sudo attempt occurred.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.sudo.reject_info.plugin_name`	`additional.fields[sudo_reject_info_plugin_name]`
`event.sudo.reject_info.failure_message`	`additional.fields[sudo_reject_info_failure_message]`
`event.sudo.reject_info.plugin_type`	`additional.fields[sudo_reject_info_plugin_type]`
`event.sudo.from_uid`	`principal.user.userid`
`event.sudo.from_username`	`principal.user.user_display_name`
`event.sudo.command`	`target.process.command_line`
`event.sudo.to_uid`	`target.user.userid`
`event.sudo.to_username`	`target.user.user_display_name`
`event.sudo.success`	`security_result.category`	If the `event.sudo.success` log field value is equal to `false` then, the `security_result.category` UDM field is set to `AUTH_VIOLATION`.

`event_type: system_performance`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `system_performance`.
	`metadata.description`	`Event occurs on a regular interval to collect application performance data.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.performance.metrics.hw_model`	`additional.fields[performance_metrics_hw_model]`
`event.performance.page_info.page`	`additional.fields[performance_page_info_page]`
`udm.performance.page_info.total`	`additional.fields[performance_page_info_total]`
`event.performance.metrics.tasks.name`	`additional.fields[task_name]`
`event.performance.metrics.tasks.energy_impact`	`additional.fields[task_energy_impact]`

`event_type: unmount`

Log field	UDM mapping	Logic
	`metadata.product_event_type`	The `metadata.product_event_type` UDM field is set to `unmount`.
	`metadata.description`	`A file system has been unmounted.` value is set to the `metadata.description` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`event.unmount.statfs.f_owner`	`target.user.userid`
`event.unmount.device.size`	`target.file.size`
`event.unmount.statfs.f_fstypename`	`target.resource.resource_subtype`
`event.unmount.statfs.f_mntfromname`	`target.resource.name`
`event.unmount.device.protocol`	`additional.fields[unmount_device_protocol]`
`event.unmount.device.serial_number`	`target.asset.hardware.serial_number`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.serial_number` log field is mapped to the `target.asset.hardware.serial_number` UDM field.
`event.unmount.device.device_model`	`target.asset.hardware.model`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.device_model` log field is mapped to the `target.asset.hardware.model` UDM field.
`event.unmount.device.vendor_name`	`target.asset.hardware.manudacturer`	If the `event.unmount.device.serial_number` log field value is `not empty` or the `event.unmount.device.vendor_name` log field value is `not empty` or the `event.unmount.device.device_model` log field value is `not empty` then, `event.unmount.device.vendor_name` log field is mapped to the `target.asset.hardware.manufacturer` UDM field.

¿Necesitas más ayuda? Recibe respuestas de los miembros de la comunidad y de los profesionales de Google SecOps.

Recoger registros de telemetría de Jamf Protect V2

Antes de empezar

Configurar un feed en Google SecOps para ingerir registros de telemetría de Jamf Protect V2

Configurar un feed de ingestión en Google SecOps con Amazon S3 V2

Configurar un feed de ingesta en Google SecOps mediante un webhook

Crear una clave de API para un feed de webhook

Configurar Jamf Protect Telemetry V2 para un feed de webhook

Referencia de asignación de campos

Referencia de asignación de campos: identificador de evento a tipo de evento

Referencia de asignación de campos: JAMF_TELEMETRY_V2 - Common Fields

Referencia de asignación de campos: campos de registro sin procesar a campos de UDM por event_type.

event_type: remount

event_type: screensharing_attach

event_type: su

event_type: settime

event_type: screensharing_detach

event_type: xp_malware_remediated

event_type: xp_malware_detected

event_type: authentication

event_type: btm_launch_item_add

event_type: btm_launch_item_remove

event_type: chroot

event_type: exec

event_type: file_collection

event_type: kextload

event_type: kextunload

event_type: log_collection

event_type: login_login

event_type: login_logout

event_type: lw_session_login

event_type: bios_uefi

event_type: cs_invalidated

event_type: gatekeeper_user_override

event_type: lw_session_unlock

event_type: lw_session_lock

event_type: lw_session_logout

event_type: mount

event_type: od_attribute_set

event_type: od_attribute_value_add

event_type: od_attribute_value_remove

event_type: od_create_group

event_type: od_delete_group

event_type: od_create_user

event_type: od_delete_user

event_type: od_disable_user

event_type: od_enable_user

event_type: od_group_add

event_type: od_group_remove

event_type: od_group_set

event_type: od_modify_password

event_type: openssh_login

event_type: openssh_logout

event_type: profile_add

event_type: profile_remove

event_type: sudo

event_type: system_performance

event_type: unmount