Recoger registros de osquery
En este documento se describe cómo puedes recoger registros de osquery configurando osquery y un reenviador de Google Security Operations. En este documento también se indican los tipos de registros y las versiones de osquery compatibles.
Para obtener más información, consulta Ingestión de datos en Google Security Operations.
Información general
En el siguiente diagrama de arquitectura de implementación se muestra cómo se configuran los agentes de osquery y el servidor de Fleet para enviar registros a Google Security Operations. Cada implementación de cliente puede ser diferente de esta representación y puede ser más compleja.
En el diagrama de arquitectura se muestran los siguientes componentes:
Sistema Linux: el sistema Linux que se va a monitorizar en el que está instalado el agente osquery.
Sistema Microsoft Windows: el sistema Microsoft Windows que se va a monitorizar y en el que está instalado el agente osquery.
Sistema Mac: el sistema Mac que se va a monitorizar y en el que está instalado el agente osquery
Agente osquery: recoge información del sistema Microsoft Windows, Linux o Mac y la reenvía al servidor de flota.
Servidor de flota: monitoriza y recibe información de los agentes de osquery, analiza los registros y los reenvía al reenviador de Google Security Operations.
Agente de Bindplane: el agente de Bindplane obtiene registros de osquery y los envía a Google SecOps.
Reenviador de Google Security Operations: un componente de software ligero que se implementa en la red del cliente para reenviar los registros a Google Security Operations.
Google Security Operations: conserva y analiza los registros del servidor de la flota.
Una etiqueta de ingestión identifica el analizador que normaliza los datos de registro sin procesar en formato UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de ingestión OSQUERY_EDR.
Antes de empezar
Instala el servidor de Fleet. Para instalar el servidor de Fleet, sigue estos pasos:
Usa una versión de osquery compatible con el analizador de Google Security Operations, es decir, la 5.2.3 y la 5.3.0.
Verifica que todos los sistemas de la arquitectura de implementación estén configurados en la zona horaria UTC.
Comprueba que los nombres de las tablas de Fleet se ajustan a la documentación oficial de Fleet.
Configurar el agente y el servidor de osquery, así como el reenviador de Google Security Operations
Para configurar el servidor de Fleet y el reenviador de Google Security Operations, haz lo siguiente:
Para configurar el servidor de Fleet, haz lo siguiente:
Añade hosts a Fleet Server e instala el agente osquery. Puedes añadir tu host al servidor de Fleet con un instalador de osquery. El servidor de flota ayuda a generar un instalador de osquery con el comando de paquete fleetctl.
- Ejecuta el comando del paquete fleetctl instalando la herramienta de línea de comandos fleetctl.
- Instala el agente de osquery con el comando de paquete fleetctl.
Cuando instalas el instalador de osquery generado en un host, este se registra automáticamente en la instancia de Fleet especificada.
Obtener los registros del agente de osquery. Para crear una consulta en Fleet para obtener los registros, consulta Crear una consulta. Para programar una consulta, consulta Programar una consulta.
Configura el reenviador de Google Security Operations en un dispositivo Linux central para enviar los registros al sistema de Google Security Operations. Para obtener más información, consulte Instalar y configurar el reenviador en Linux. A continuación, se muestra un ejemplo de configuración de un reenviador de Google SecOps:
- file: common: enabled: true data_type: OSQUERY_EDR data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 skip_seek_to_end: true file_path: <log_file_path> filter:
Reenviar registros a Google SecOps mediante el agente Bindplane
- Instala y configura una máquina virtual Linux.
- Instala y configura el agente de Bindplane en Linux para reenviar registros a Google SecOps. Para obtener más información sobre cómo instalar y configurar el agente de Bindplane, consulta las instrucciones de instalación y configuración del agente de Bindplane.
Si tienes problemas al crear feeds, ponte en contacto con el equipo de Asistencia de SecOps de Google.
Formatos de registro de osquery admitidos
El analizador de osquery admite registros en formato JSON.
Registros de ejemplo de osquery admitidos
JSON:
{ "name": "account_policy_data", "hostIdentifier": "dummyhostidentifier", "calendarTime": "Tue May 17 11:27:28 2022 UTC", "unixTime": 1652786848, "epoch": 0, "counter": 0, "numerics": false, "decorations": { "host_uuid": "dummy_host_uuid", "hostname": "dummyhostname" }, "columns": { "creation_time": "1637733429.23442", "failed_login_count": "0", "failed_login_timestamp": "0.0", "password_last_set_time": "1645164584.43137", "uid": "501" }, "action": "added" }
Referencia de asignación de campos
En esta sección se explica cómo asigna el analizador de Google Security Operations los campos de registro de osquery a los campos del modelo de datos unificado (UDM) de Google Security Operations para el esquema y el sistema operativo. Para obtener más información, consulta el esquema de osquery de la versión 5.2.3 y la versión 5.3.0.
account_policy_data
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema account_policy_data y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| uid | principal.user.userid |
| creation_time | principal.user.attribute.creation_time |
| failed_login_count | principal.user.attribute.labels.key/value |
| failed_login_timestamp | principal.user.attribute.labels.key/value |
| password_last_set_time | principal.user.attribute.labels.key/value |
ad_config
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema ad_config y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | about.labels.key/value (obsoleto) additional.fields |
| dominio | target.administrative_domain |
| opción | about.labels.key (obsoleto) additional.fields.key |
| valor | about.labels.value (obsoleto) additional.fields.value.string_value |
alf
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes a los esquemas alf y OS macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| allow_signed_enabled | about.labels.key/value (obsoleto) additional.fields |
| firewall_unload | about.labels.key/value (obsoleto) additional.fields |
| global_state | about.labels.key/value (obsoleto) additional.fields |
| logging_enabled | about.labels.key/value (obsoleto) additional.fields |
| logging_option | about.labels.key/value (obsoleto) additional.fields |
| stealth_enabled | about.labels.key/value (obsoleto) additional.fields |
| version | target.platform_version |
alf_exceptions
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema alf_exceptions y el sistema operativo macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| estado | about.labels.key/value (obsoleto) additional.fields |
alf_explicit_auths
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema alf_explicit_auths y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| process | target.process.pid |
app_schemes
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema app_schemes y el SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| scheme | about.labels.key/value (obsoleto) additional.fields |
| handler | about.labels.key/value (obsoleto) additional.fields |
| habilitada | about.labels.key/value (obsoleto) additional.fields |
| externa | about.labels.key/value (obsoleto) additional.fields |
| protegido | about.labels.key/value (obsoleto) additional.fields |
apparmor_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema apparmor_events y el SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| mensaje | metadata.description |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| Tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| EID | security_result.rule_id |
| apparmor | security_result.action |
| operación | about.labels.key/value (obsoleto) additional.fields |
| parent | target.process.parent_process.pid |
| perfil | about.labels.key/value (obsoleto) additional.fields |
| name | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| comm | target.process.command_line |
| denied_mask | about.labels.key/value (obsoleto) additional.fields |
| capname | about.labels.key/value (obsoleto) additional.fields |
| fsuid | target.user.attribute.labels.key/value |
| ouid | target.user.attribute.labels.key/value |
| capability | about.labels.key/value (obsoleto) additional.fields |
| requested_mask | target.process.access_mask |
| información | about.labels.key/value (obsoleto) additional.fields |
| error | security_result.summary |
| espacio de nombres | about.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
apparmor_profiles
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema apparmor_profiles y el SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| name | target.resource.name |
| montar | about.labels.key/value (obsoleto) additional.fields |
| modo | about.labels.key/value (obsoleto) additional.fields |
| sha1 | target.file.sha1 |
aplicaciones
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para las aplicaciones de esquema y el SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | target.application |
| ruta | target.file.full_path |
| bundle_executable | about.labels.key/value (obsoleto) additional.fields |
| bundle_identifier | target.resource.product_object_id |
| bundle_name | target.resource.name |
| bundle_short_version | target.resource.attribute.labels.key/value |
| bundle_version | target.resource.attribute.labels.key/value |
| bundle_package_type | about.labels.key/value (obsoleto) additional.fields |
| entorno | about.labels.key/value (obsoleto) additional.fields |
| elemento | about.labels.key/value (obsoleto) additional.fields |
| Compilador | about.labels.key/value (obsoleto) additional.fields |
| development_region | about.location.country_or_region |
| display_name | about.labels.key/value (obsoleto) additional.fields |
| info_string | about.labels.key/value (obsoleto) additional.fields |
| minimum_system_version | about.labels.key/value (obsoleto) additional.fields |
| categoría | about.labels.key/value (obsoleto) additional.fields |
| applescript_enabled | about.labels.key/value (obsoleto) additional.fields |
| derechos de autor | about.labels.key/value (obsoleto) additional.fields |
| last_opened_time | target.file.last_seen_time |
asl
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema asl y el SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| time_nano_sec | about.labels.key/value (obsoleto) additional.fields |
| host | target.hostname |
| sender | about.labels.key/value (obsoleto) additional.fields |
| centro | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| gid | target.user.group_identifiers |
| uid | target.user.userid |
| nivel | about.labels.key/value (obsoleto) additional.fields |
| mensaje | metadata.description |
| ref_pid | about.labels.key/value (obsoleto) additional.fields |
| ref_proc | about.labels.key/value (obsoleto) additional.fields |
| extra | about.labels.key/value (obsoleto) additional.fields |
Authenticode
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema authenticode y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| original_program_name | about.labels.key/value (obsoleto) additional.fields |
| serial_number | network.tls.client.certificate.serial |
| issuer_name | network.tls.client.certificate.issuer |
| subject_name | network.tls.client.certificate.subject |
| result | security_result.summary |
authorization_mechanisms
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes al esquema authorization_mechanisms y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| plugin | about.labels.key/value (obsoleto) additional.fields |
| mecanismo | about.labels.key/value (obsoleto) additional.fields |
| con privilegios | about.labels.key/value (obsoleto) additional.fields |
| entry | about.labels.key/value (obsoleto) additional.fields |
autorizaciones
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para las autorizaciones de esquemas y el SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| modificado | about.labels.key/value (obsoleto) additional.fields |
| allow_root | about.labels.key/value (obsoleto) additional.fields |
| Tiempo de espera | about.labels.key/value (obsoleto) additional.fields |
| version | about.labels.key/value (obsoleto) additional.fields |
| intentos | about.labels.key/value (obsoleto) additional.fields |
| authenticate_user | about.labels.key/value (obsoleto) additional.fields |
| compartida | about.labels.key/value (obsoleto) additional.fields |
| comentario | about.labels.key/value (obsoleto) additional.fields |
| creado | about.labels.key/value (obsoleto) additional.fields |
| clase | about.labels.key/value (obsoleto) additional.fields |
| session_owner | about.labels.key/value (obsoleto) additional.fields |
autoexec
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema autoexec y el SO Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| name | target.application |
| fuente | target.resource.name |
bitlocker_info
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema bitlocker_info y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| device_id | target.resource.product_object_id |
| drive_letter | target.resource.name |
| persistent_volume_id | about.labels.key/value (obsoleto) additional.fields |
| conversion_status | target.resource.attirbute.labels.key/value |
| protection_status | target.resource.attirbute.labels.key/value |
| encryption_method | target.resource.attirbute.labels.key/value |
| version | metadata.product_version |
| percentage_encrypted | target.resource.attirbute.labels.key/value |
| lock_status | target.resource.attirbute.labels.key/value |
bpf_process_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema bpf_process_events y el SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| tid | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| parent | target.process.parent_process.pid |
| uid | principal.user.userid |
| gid | principal.group.product_object_id |
| cid | about.labels.key/value (obsoleto) additional.fields |
| exit_code | about.labels.key/value (obsoleto) additional.fields |
| probe_error | about.labels.key/value (obsoleto) additional.fields |
| syscall | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.process.file.full_path |
| cwd | about.labels.key/value (obsoleto) additional.fields |
| cmdline | target.process.command_line |
| duración | about.labels.key/value (obsoleto) additional.fields |
| json_cmdline | about.labels.key/value (obsoleto) additional.fields |
| ntime | about.labels.key/value (obsoleto) additional.fields |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
bpf_socket_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema bpf_socket_events y al SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| tid | about.labels.key/value (obsoleto) additional.fields |
| pid | principal.process.pid |
| parent | principal.process.parent_process.pid |
| uid | principal.user.userid |
| gid | principal.group.product_object_id |
| cid | about.labels.key/value (obsoleto) additional.fields |
| exit_code | about.labels.key/value (obsoleto) additional.fields |
| probe_error | about.labels.key/value (obsoleto) additional.fields |
| syscall | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.file.full_path |
| fd | about.labels.key/value (obsoleto) additional.fields |
| familia | about.labels.key/value (obsoleto) additional.fields |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| protocolo | about.labels.key/value (obsoleto) additional.fields |
| local_address | principal.ip |
| remote_address | target.ip |
| local_port | principal.port |
| remote_port | target.port |
| duración | about.labels.key/value (obsoleto) additional.fields |
| ntime | about.labels.key/value (obsoleto) additional.fields |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
certificados
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes a los certificados de esquema y a los sistemas operativos macOS y Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| common_name | about.labels.key/value (obsoleto) additional.fields |
| subject | network.tls.client.certificate.subject |
| issuer | network.tls.client.certificate.issuer |
| ca | about.labels.key/value (obsoleto) additional.fields |
| self_signed | about.labels.key/value (obsoleto) additional.fields |
| not_valid_before | network.tls.client.certificate.not_before |
| not_valid_after | network.tls.client.certificate.not_after |
| signing_algorithm | about.labels.key/value (obsoleto) additional.fields |
| key_algorithm | about.labels.key/value (obsoleto) additional.fields |
| key_strength | about.labels.key/value (obsoleto) additional.fields |
| key_usage | about.labels.key/value (obsoleto) additional.fields |
| subject_key_id | about.labels.key/value (obsoleto) additional.fields |
| authority_key_id | about.labels.key/value (obsoleto) additional.fields |
| sha1 | network.tls.client.certificate.sha1 |
| ruta | about.labels.key/value (obsoleto) additional.fields |
| serial | network.tls.client.certificate.serial |
| sid | about.labels.key/value (obsoleto) additional.fields |
| store_location | about.labels.key/value (obsoleto) additional.fields |
| almacén | about.labels.key/value (obsoleto) additional.fields |
| nombre de usuario | principal.user.user_display_name |
| store_id | about.labels.key/value (obsoleto) additional.fields |
chassis_info
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema chassis_info y al SO Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| audible_alarm | about.labels.key/value (obsoleto) additional.fields |
| breach_description | security_result.description |
| chassis_types | about.labels.key/value (obsoleto) additional.fields |
| description | metadata.description |
| candado | about.labels.key/value (obsoleto) additional.fields |
| Fabricante | principal.asset.hardware.manufacturer |
| modelo | principal.asset.hardware.model |
| security_breach | security_result.detection_fields.key/value |
| serial | principal.asset.hardware.serial_number |
| smbios_tag | about.labels.key/value (obsoleto) additional.fields |
| sku | about.labels.key/value (obsoleto) additional.fields |
| status | about.labels.key/value (obsoleto) additional.fields |
| visible_alarm | about.labels.key/value (obsoleto) additional.fields |
chrome_extensions
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema chrome_extensions y a los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| browser_type | target.resource.attribute.labels.key/value |
| uid | principal.user.userid |
| name | target.resource.name |
| perfil | target.resource.attribute.labels.key/value |
| profile_path | target.resource.attribute.labels.key/value |
| referenced_identifier | target.resource.attribute.labels.key/value |
| identificador | target.resource.attribute.labels.key/value |
| version | target.resource.attribute.labels.key/value |
| description | target.resource.attribute.labels.key/value |
| default_locale | target.resource.attribute.labels.key/value |
| current_locale | target.resource.attribute.labels.key/value |
| update_url | network.http.referral_url |
| author | target.resource.attribute.labels.key/value |
| persistente | target.resource.attribute.labels.key/value |
| ruta | target.file.full_path |
| permisos | target.resource.attribute.labels.key/value |
| permissions_json | target.resource.attribute.labels.key/value |
| optional_permissions | target.resource.attribute.labels.key/value |
| optional_permissions_json | target.resource.attribute.labels.key/value |
| manifest_hash | target.resource.attribute.labels.key/value |
| referenciado | target.resource.attribute.labels.key/value |
| from_webstore | target.resource.attribute.labels.key/value |
| estado | target.resource.attribute.labels.key/value |
| install_time | target.resource.attribute.labels.key/value |
| install_timestamp | target.resource.attribute.labels.key/value |
| manifest_json | target.resource.attribute.labels.key/value |
| clave | target.resource.attribute.labels.key/value |
conectividad
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para la conectividad de esquemas y el SO Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| desconectado | about.labels.key/value (obsoleto) additional.fields |
| ipv4_no_traffic | about.labels.key/value (obsoleto) additional.fields |
| ipv6_no_traffic | about.labels.key/value (obsoleto) additional.fields |
| ipv4_subnet | about.labels.key/value (obsoleto) additional.fields |
| ipv4_local_network | about.labels.key/value (obsoleto) additional.fields |
| ipv4_internet | about.labels.key/value (obsoleto) additional.fields |
| ipv6_subnet | about.labels.key/value (obsoleto) additional.fields |
| ipv6_local_network | about.labels.key/value (obsoleto) additional.fields |
| ipv6_internet | about.labels.key/value (obsoleto) additional.fields |
cpu_info
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema cpu_info y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| device_id | principal.asset.product_object_id |
| modelo | principal.asset.hardware.model |
| Fabricante | principal.asset.hardware.manufacturer |
| processor_type | about.labels.key/value (obsoleto) additional.fields |
| disponibilidad | about.labels.key/value (obsoleto) additional.fields |
| cpu_status | about.labels.key/value (obsoleto) additional.fields |
| number_of_cores | principal.asset.hardware.cpu_number_cores |
| logical_processors | about.labels.key/value (obsoleto) additional.fields |
| address_width | about.labels.key/value (obsoleto) additional.fields |
| current_clock_speed | principal.asset.hardware.cpu_clock_speed |
| max_clock_speed | principal.asset.hardware.cpu_max_clock_speed |
| socket_designation | about.labels.key/value (obsoleto) additional.fields |
fallos
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes a los fallos del esquema y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| ruta | target.process.file.full_path |
| crash_path | target.file.full_path |
| identificador | about.labels.key/value (obsoleto) additional.fields |
| version | about.labels.key/value (obsoleto) additional.fields |
| parent | target.process.parent_process.pid |
| responsable | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| datetime | metadata.event_timestamp |
| crashed_thread | about.labels.key/value (obsoleto) additional.fields |
| stack_trace | about.labels.key/value (obsoleto) additional.fields |
| exception_type | about.labels.key/value (obsoleto) additional.fields |
| exception_codes | about.labels.key/value (obsoleto) additional.fields |
| exception_notes | about.labels.key/value (obsoleto) additional.fields |
| registros | about.labels.key/value (obsoleto) additional.fields |
crontab
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas crontab y OS Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| evento | about.labels.key/value (obsoleto) additional.fields |
| minuto | about.labels.key/value (obsoleto) additional.fields |
| hora | about.labels.key/value (obsoleto) additional.fields |
| day_of_month | about.labels.key/value (obsoleto) additional.fields |
| mes | about.labels.key/value (obsoleto) additional.fields |
| day_of_week | about.labels.key/value (obsoleto) additional.fields |
| comando | principal.process.command_line |
| ruta | principal.process.file.full_path |
| pid_with_namespace | about.labels.key/value (obsoleto) additional.fields |
curl
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema curl y los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| url | network.http.referral_url |
| método | network.http.method |
| user_agent | network.http.user_agent |
| response_code | network.http.response_code |
| round_trip_time | network.session_duration |
| bytes | network.received_bytes |
| result | about.labels.key/value (obsoleto) additional.fields |
curl_certificate
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes al esquema curl_certificate y a los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| nombre de host | principal.hostname |
| common_name | about.labels.key/value (obsoleto) additional.fields |
| organización | network.organization_name |
| organization_unit | about.labels.key/value (obsoleto) additional.fields |
| serial_number | network.tls.server.certificate.serial |
| issuer_common_name | about.labels.key/value (obsoleto) additional.fields |
| issuer_organization | network.tls.server.certificate.issuer |
| issuer_organization_unit | about.labels.key/value (obsoleto) additional.fields |
| valid_from | network.tls.server.certificate.not_before |
| valid_to | network.tls.server.certificate.not_after |
| sha256_fingerprint | network.tls.server.certificate.sha256 |
| sha1_fingerprint | network.tls.server.certificate.sha1 |
| version | network.tls.server.certificate.version |
| signature_algorithm | about.labels.key/value (obsoleto) additional.fields |
| signature | about.labels.key/value (obsoleto) additional.fields |
| subject_key_identifier | about.labels.key/value (obsoleto) additional.fields |
| authority_key_identifier | about.labels.key/value (obsoleto) additional.fields |
| key_usage | about.labels.key/value (obsoleto) additional.fields |
| extended_key_usage | about.labels.key/value (obsoleto) additional.fields |
| políticas | about.labels.key/value (obsoleto) additional.fields |
| subject_alternative_names | about.labels.key/value (obsoleto) additional.fields |
| issuer_alternative_names | about.labels.key/value (obsoleto) additional.fields |
| info_access | about.labels.key/value (obsoleto) additional.fields |
| subject_info_access | about.labels.key/value (obsoleto) additional.fields |
| policy_mappings | about.labels.key/value (obsoleto) additional.fields |
| has_expired | about.labels.key/value (obsoleto) additional.fields |
| basic_constraint | about.labels.key/value (obsoleto) additional.fields |
| name_constraints | about.labels.key/value (obsoleto) additional.fields |
| policy_constraints | about.labels.key/value (obsoleto) additional.fields |
| dump_certificate | about.labels.key/value (obsoleto) additional.fields |
| Tiempo de espera | about.labels.key/value (obsoleto) additional.fields |
| pem | about.labels.key/value (obsoleto) additional.fields |
device_file
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para el esquema device_file y los SO Linux, macOS, freebsd y Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| dispositivo | about.labels.key/value (obsoleto) additional.fields |
| partición | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.file.full_path |
| filename | target.file.names |
| inodo | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| modo | about.labels.key/value (obsoleto) additional.fields |
| size | target.file.size |
| block_size | about.labels.key/value (obsoleto) additional.fields |
| atime | about.labels.key/value (obsoleto) additional.fields |
| mtime | target.file.last_modification_time |
| ctime | about.labels.key/value (obsoleto) additional.fields |
| hard_links | about.labels.key/value (obsoleto) additional.fields |
| tipo | about.labels.key/value (obsoleto) additional.fields |
device_hash
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para el esquema device_hash y los SO Linux, macOS, freebsd y Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| dispositivo | target.file.full_path |
| partición | about.labels.key/value (obsoleto) additional.fields |
| inodo | about.labels.key/value (obsoleto) additional.fields |
| md5 | target.file.md5 |
| sha1 | target.file.sha1 |
| sha256 | target.file.sha56 |
disk_info
En la siguiente tabla se muestran los campos de registro y las asignaciones de UDM correspondientes al esquema disk_info y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| particiones | principal.asset.attribute.labels.key/value |
| disk_index | principal.asset.attribute.labels.key/value |
| tipo | principal.asset.attribute.labels.key/value |
| id | principal.asset.product_object_id |
| pnp_device_id | about.labels.key/value (obsoleto) additional.fields |
| disk_size | principal.asset.attribute.labels.key/value |
| Fabricante | principal.asset.hardware.manufacturer |
| hardware_model | principal.asset.hardware.model |
| name | principal.asset.attribute.labels.key/value |
| serial | principal.asset.hardware.serial_number |
| description | principal.asset.attribute.labels.key/value |
dns_cache
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema dns_cache y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | network.dns.additional.name |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| flags | about.labels.key/value (obsoleto) additional.fields |
dns_resolvers
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para los esquemas dns_resolvers y OS Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| id | about.labels.key/value (obsoleto) additional.fields |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| Dirección | principal.ip |
| máscara de red | about.labels.key/value (obsoleto) additional.fields |
| configuración | about.labels.key/value (obsoleto) additional.fields |
| pid_with_namespace | about.labels.key/value (obsoleto) additional.fields |
docker_container_networks
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema docker_container_networks y los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| id | target.asset.product_object_id |
| name | network.carrier_name |
| network_id | about.labels.key/value (obsoleto) additional.fields |
| endpoint_id | about.labels.key/value (obsoleto) additional.fields |
| pasarela | about.labels.key/value (obsoleto) additional.fields |
| ip_address | target.ip |
| ip_prefix_len | about.labels.key/value (obsoleto) additional.fields |
| ipv6_gateway | about.labels.key/value (obsoleto) additional.fields |
| ipv6_address | target.ip |
| ipv6_prefix_len | about.labels.key/value (obsoleto) additional.fields |
| mac_address | target.mac |
docker_container_ports
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para el esquema docker_container_ports y los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| id | target.asset.product_object_id |
| tipo | network.ip_protocol |
| puerto | target.port |
| host_ip | principal.ip |
| host_port | principal.port |
docker_container_processes
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema docker_container_processes y los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| id | target.asset.product_object_id |
| pid | target.process.pid |
| name | target.process.file.full_path |
| cmdline | target.process.command_line |
| estado | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| euid | target.user.attribute.labels.key/value |
| egid | target.group.attribute.labels.key/value |
| suid | target.user.attribute.labels.key/value |
| sgid | target.group.attribute.labels.key/value |
| wired_size | about.labels.key/value (obsoleto) additional.fields |
| resident_size | about.labels.key/value (obsoleto) additional.fields |
| total_size | about.labels.key/value (obsoleto) additional.fields |
| start_time | about.labels.key/value (obsoleto) additional.fields |
| parent | target.process.parent_process.pid |
| pgroup | about.labels.key/value (obsoleto) additional.fields |
| Hilos | about.labels.key/value (obsoleto) additional.fields |
| bonito | about.labels.key/value (obsoleto) additional.fields |
| usuario | target.user.user_display_name |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| CPU | about.labels.key/value (obsoleto) additional.fields |
| mem | about.labels.key/value (obsoleto) additional.fields |
docker_container_stats
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para el esquema docker_container_stats y los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| id | target.resource.product_object_id |
| name | target.resource.name |
| pids | about.labels.key/value (obsoleto) additional.fields |
| read | about.labels.key/value (obsoleto) additional.fields |
| preread | about.labels.key/value (obsoleto) additional.fields |
| intervalo | about.labels.key/value (obsoleto) additional.fields |
| disk_read | about.labels.key/value (obsoleto) additional.fields |
| disk_write | about.labels.key/value (obsoleto) additional.fields |
| num_procs | about.labels.key/value (obsoleto) additional.fields |
| cpu_total_usage | about.labels.key/value (obsoleto) additional.fields |
| cpu_kernelmode_usage | about.labels.key/value (obsoleto) additional.fields |
| cpu_usermode_usage | about.labels.key/value (obsoleto) additional.fields |
| system_cpu_usage | about.labels.key/value (obsoleto) additional.fields |
| online_cpus | about.labels.key/value (obsoleto) additional.fields |
| pre_cpu_total_usage | about.labels.key/value (obsoleto) additional.fields |
| pre_cpu_kernelmode_usage | about.labels.key/value (obsoleto) additional.fields |
| pre_cpu_usermode_usage | about.labels.key/value (obsoleto) additional.fields |
| pre_system_cpu_usage | about.labels.key/value (obsoleto) additional.fields |
| pre_online_cpus | about.labels.key/value (obsoleto) additional.fields |
| memory_usage | about.labels.key/value (obsoleto) additional.fields |
| memory_max_usage | about.labels.key/value (obsoleto) additional.fields |
| memory_limit | about.labels.key/value (obsoleto) additional.fields |
| network_rx_bytes | about.labels.key/value (obsoleto) additional.fields |
| network_tx_bytes | about.labels.key/value (obsoleto) additional.fields |
docker_info
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas docker_info y OS Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| id | target.resource.product_object_id |
| contenedores | about.labels.key/value (obsoleto) additional.fields |
| containers_running | about.labels.key/value (obsoleto) additional.fields |
| containers_paused | about.labels.key/value (obsoleto) additional.fields |
| containers_stopped | about.labels.key/value (obsoleto) additional.fields |
| imágenes | about.labels.key/value (obsoleto) additional.fields |
| storage_driver | about.labels.key/value (obsoleto) additional.fields |
| memory_limit | about.labels.key/value (obsoleto) additional.fields |
| swap_limit | about.labels.key/value (obsoleto) additional.fields |
| kernel_memory | about.labels.key/value (obsoleto) additional.fields |
| cpu_cfs_period | about.labels.key/value (obsoleto) additional.fields |
| cpu_cfs_quota | about.labels.key/value (obsoleto) additional.fields |
| cpu_shares | about.labels.key/value (obsoleto) additional.fields |
| cpu_set | about.labels.key/value (obsoleto) additional.fields |
| ipv4_forwarding | about.labels.key/value (obsoleto) additional.fields |
| bridge_nf_iptables | about.labels.key/value (obsoleto) additional.fields |
| bridge_nf_ip6tables | about.labels.key/value (obsoleto) additional.fields |
| oom_kill_disable | about.labels.key/value (obsoleto) additional.fields |
| logging_driver | about.labels.key/value (obsoleto) additional.fields |
| cgroup_driver | about.labels.key/value (obsoleto) additional.fields |
| kernel_version | about.labels.key/value (obsoleto) additional.fields |
| os | about.labels.key/value (obsoleto) additional.fields |
| os_type | target.platform(enum) |
| arquitectura | about.labels.key/value (obsoleto) additional.fields |
| cpus | about.labels.key/value (obsoleto) additional.fields |
| memoria | about.labels.key/value (obsoleto) additional.fields |
| http_proxy | about.labels.key/value (obsoleto) additional.fields |
| https_proxy | about.labels.key/value (obsoleto) additional.fields |
| no_proxy | about.labels.key/value (obsoleto) additional.fields |
| name | target.hostname |
| server_version | target.platform_version |
| root_dir | target.file.full_path |
docker_network_labels
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas docker_network_labels y OS Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| id | target.resource.product_object_id |
| clave | target.resource.attribute.labels.key/value |
| valor | about.labels.key/value (obsoleto) additional.fields |
docker_networks
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas docker_networks y OS Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| id | target.resource.product_object_id |
| name | about.labels.key/value (obsoleto) additional.fields |
| controlador | about.labels.key/value (obsoleto) additional.fields |
| creado | target.resource.attribute.creation_time |
| enable_ipv6 | about.labels.key/value (obsoleto) additional.fields |
| subred | about.labels.key/value (obsoleto) additional.fields |
| pasarela | about.labels.key/value (obsoleto) additional.fields |
ec2_instance_metadata
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema ec2_instance_metadata y a los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| instance_id | target.resource.product_object_id |
| instance_type | about.labels.key/value (obsoleto) additional.fields |
| arquitectura | about.labels.key/value (obsoleto) additional.fields |
| región | target.location.country_or_region |
| availability_zone | about.labels.key/value (obsoleto) additional.fields |
| local_hostname | target.hostname |
| local_ipv4 | target.ip |
| mac | target.mac |
| security_groups | about.labels.key/value (obsoleto) additional.fields |
| iam_arn | about.labels.key/value (obsoleto) additional.fields |
| ami_id | about.labels.key/value (obsoleto) additional.fields |
| reservation_id | about.labels.key/value (obsoleto) additional.fields |
| account_id | target.user.userid |
| ssh_public_key | about.labels.key/value (obsoleto) additional.fields |
es_process_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema es_process_events y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| version | target.platform_version |
| seq_num | about.labels.key/value (obsoleto) additional.fields |
| global_seq_num | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| ruta | target.process.file.full_path |
| parent | target.process.parent_process.pid |
| original_parent | about.labels.key/value (obsoleto) additional.fields |
| cmdline | target.process.command_line |
| cmdline_count | about.labels.key/value (obsoleto) additional.fields |
| env | about.labels.key/value (obsoleto) additional.fields |
| env_count | about.labels.key/value (obsoleto) additional.fields |
| cwd | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| euid | about.labels.key/value (obsoleto) additional.fields |
| gid | target.group.product_object_id |
| egid | about.labels.key/value (obsoleto) additional.fields |
| nombre de usuario | target.user.user_display_name |
| signing_id | about.labels.key/value (obsoleto) additional.fields |
| team_id | about.labels.key/value (obsoleto) additional.fields |
| cdhash | about.labels.key/value (obsoleto) additional.fields |
| platform_binary | about.labels.key/value (obsoleto) additional.fields |
| exit_code | about.labels.key/value (obsoleto) additional.fields |
| child_pid | about.labels.key/value (obsoleto) additional.fields |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| event_type | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
etc_hosts
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema etc_hosts y a los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| Dirección | target.ip |
| nombres de host | about.hostname |
| pid_with_namespace | about.labels.key/value (obsoleto) additional.fields |
etc_protocols
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema etc_protocols y los SO macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | network.ip_protocol |
| número | about.labels.key/value (obsoleto) additional.fields |
| alias | about.labels.key/value (obsoleto) additional.fields |
| comentario | about.labels.key/value (obsoleto) additional.fields |
etc_services
En la siguiente tabla se muestran los campos de registro y las asignaciones de UDM correspondientes para el esquema etc_services y los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | target.resource.name |
| puerto | target.port |
| protocolo | network.ip_protocol |
| aliases | about.labels.key/value (obsoleto) additional.fields |
| comentario | about.labels.key/value (obsoleto) additional.fields |
file
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el archivo de esquema y los sistemas operativos macOS, Linux, Windows y FreeBSD:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| directorio | about.labels.key/value (obsoleto) additional.fields |
| filename | target.file.names |
| inodo | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| modo | about.labels.key/value (obsoleto) additional.fields |
| dispositivo | target.asset.asset_id |
| size | target.file.size |
| block_size | about.labels.key/value (obsoleto) additional.fields |
| atime | target.file.last_seen_time |
| mtime | target.file.last_modification_time |
| ctime | about.labels.key/value (obsoleto) additional.fields |
| btime | about.labels.key/value (obsoleto) additional.fields |
| hard_links | about.labels.key/value (obsoleto) additional.fields |
| Enlace simbólico | about.labels.key/value (obsoleto) additional.fields |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| attributes | about.labels.key/value (obsoleto) additional.fields |
| volume_serial | about.labels.key/value (obsoleto) additional.fields |
| file_id | about.labels.key/value (obsoleto) additional.fields |
| file_version | about.labels.key/value (obsoleto) additional.fields |
| product_version | about.labels.key/value (obsoleto) additional.fields |
| bsd_flags | about.labels.key/value (obsoleto) additional.fields |
| pid_with_namespace | about.labels.key/value (obsoleto) additional.fields |
| mount_namespace_id | about.labels.key/value (obsoleto) additional.fields |
file_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema file_events y al SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| operación | about.labels.key/value (obsoleto) additional.fields |
| pid | principal.process.pid |
| ppid | principal.process.parent_process.pid |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| Ejecutable | about.labels.key/value (obsoleto) additional.fields |
| parcial | about.labels.key/value (obsoleto) additional.fields |
| cwd | about.labels.key/value (obsoleto) additional.fields |
| ruta | src.file.full_path |
| dest_path | target.file.full_path |
| uid | principal.user.userid |
| gid | principal.group.product_object_id |
| auid | about.labels.key/value (obsoleto) additional.fields |
| euid | about.labels.key/value (obsoleto) additional.fields |
| egid | about.labels.key/value (obsoleto) additional.fields |
| fsuid | about.labels.key/value (obsoleto) additional.fields |
| fsgid | about.labels.key/value (obsoleto) additional.fields |
| suid | about.labels.key/value (obsoleto) additional.fields |
| sgid | about.labels.key/value (obsoleto) additional.fields |
| Tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
guardián de acceso
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el gatekeeper de esquemas y el SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| assessments_enabled | about.labels.key/value (obsoleto) additional.fields |
| dev_id_enabled | about.labels.key/value (obsoleto) additional.fields |
| version | target.asset.software.version |
| opaque_version | about.labels.key/value (obsoleto) additional.fields |
gatekeeper_approved_apps
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el validador de esquemas gatekeeper_approved_apps y el SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| requisito | about.labels.key/value (obsoleto) additional.fields |
| ctime | about.labels.key/value (obsoleto) additional.fields |
| mtime | target.resource.attribute.last_update_time |
grupos
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes de los grupos de esquemas y los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| gid | target.group.attribute.labels.key/value |
| gid_signed | target.group.attribute.labels.key/value |
| groupname | target.group.group_display_name |
| group_sid | target.group.product_object_id |
| comentario | target.group.attribute.labels.key/value |
| is_hidden | target.group.attribute.labels.key/value |
| pid_with_namespace | target.group.attribute.labels.key/value |
hardware_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas hardware_events y OS Linux y macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| acción | security_result.action_details |
| ruta | target.asset.attribute.labels.key/value |
| tipo | target.asset.attribute.labels.key/value |
| controlador | target.asset.attribute.labels.key/value |
| vendor | target.asset.attribute.labels.key/value |
| vendor_id | target.asset.attribute.labels.key/value |
| modelo | target.asset.hardware.model |
| model_id | target.asset.attribute.labels.key/value |
| serial | target.asset.attribute.labels.key/value |
| revisión | target.asset.attribute.labels.key/value |
| Tiempo | metadata.event_timestamp |
| EID | metadata.product_log_id |
hash
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al hash del esquema y a los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| directorio | about.labels.key/value (obsoleto) additional.fields |
| md5 | target.file.md5 |
| sha1 | target.file.sha1 |
| sha256 | target.file.sha256 |
| pid_with_namespace | about.labels.key/value (obsoleto) additional.fields |
| mount_namespace_id | about.labels.key/value (obsoleto) additional.fields |
interface_addresses
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes a la interfaz schema_interface_addresses y a los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| interfaz | about.labels.key/value (obsoleto) additional.fields |
| Dirección | target.ip |
| enmascarar | about.labels.key/value (obsoleto) additional.fields |
| difundir | about.labels.key/value (obsoleto) additional.fields |
| point_to_point | about.labels.key/value (obsoleto) additional.fields |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| friendly_name | about.labels.key/value (obsoleto) additional.fields |
interface_details
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema interface_details y los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| interfaz | about.labels.key/value (obsoleto) additional.fields |
| mac | target.mac |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| mtu | about.labels.key/value (obsoleto) additional.fields |
| métrica | about.labels.key/value (obsoleto) additional.fields |
| flags | about.labels.key/value (obsoleto) additional.fields |
| ipackets | about.labels.key/value (obsoleto) additional.fields |
| opackets | about.labels.key/value (obsoleto) additional.fields |
| ibytes | network.sent_bytes |
| obytes | network.received_bytes |
| ierrors | about.labels.key/value (obsoleto) additional.fields |
| oerrors | about.labels.key/value (obsoleto) additional.fields |
| idrops | about.labels.key/value (obsoleto) additional.fields |
| odrops | about.labels.key/value (obsoleto) additional.fields |
| colisiones | about.labels.key/value (obsoleto) additional.fields |
| last_change | about.labels.key/value (obsoleto) additional.fields |
| link_speed | about.labels.key/value (obsoleto) additional.fields |
| pci_slot | about.labels.key/value (obsoleto) additional.fields |
| friendly_name | about.labels.key/value (obsoleto) additional.fields |
| description | about.labels.key/value (obsoleto) additional.fields |
| Fabricante | target.asset.hardware.manufacturer |
| connection_id | about.labels.key/value (obsoleto) additional.fields |
| connection_status | about.labels.key/value (obsoleto) additional.fields |
| habilitada | about.labels.key/value (obsoleto) additional.fields |
| physical_adapter | about.labels.key/value (obsoleto) additional.fields |
| velocidad | about.labels.key/value (obsoleto) additional.fields |
| servicio | target.application |
| dhcp_enabled | about.labels.key/value (obsoleto) additional.fields |
| dhcp_lease_expires | network.dhcp.lease_time_seconds |
| dhcp_lease_obtained | about.labels.key/value (obsoleto) additional.fields |
| dhcp_server | network.dhcp.yiaddr |
| dns_domain | network.dns.questions.name |
| dns_domain_suffix_search_order | about.labels.key/value (obsoleto) additional.fields |
| dns_host_name | about.labels.key/value (obsoleto) additional.fields |
| dns_server_search_order | about.labels.key/value (obsoleto) additional.fields |
interface_ipv6
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para la interfaz interface_ipv6 y los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| interfaz | about.labels.key/value (obsoleto) additional.fields |
| hop_limit | about.labels.key/value (obsoleto) additional.fields |
| forwarding_enabled | about.labels.key/value (obsoleto) additional.fields |
| redirect_accept | about.labels.key/value (obsoleto) additional.fields |
| rtadv_accept | about.labels.key/value (obsoleto) additional.fields |
iptables
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes a los esquemas iptables y OS Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| filter_name | about.labels.key/value (obsoleto) additional.fields |
| cadena | about.labels.key/value (obsoleto) additional.fields |
| política | about.labels.key/value (obsoleto) additional.fields |
| target | about.labels.key/value (obsoleto) additional.fields |
| protocolo | about.labels.key/value (obsoleto) additional.fields |
| src_port | src.port |
| dst_port | target.port |
| src_ip | src.ip |
| src_mask | about.labels.key/value (obsoleto) additional.fields |
| iniface | about.labels.key/value (obsoleto) additional.fields |
| iniface_mask | about.labels.key/value (obsoleto) additional.fields |
| dst_ip | target.ip |
| dst_mask | about.labels.key/value (obsoleto) additional.fields |
| outiface | about.labels.key/value (obsoleto) additional.fields |
| outiface_mask | about.labels.key/value (obsoleto) additional.fields |
| coincidencia | about.labels.key/value (obsoleto) additional.fields |
| paquetes | about.labels.key/value (obsoleto) additional.fields |
| bytes | network.received_bytes |
kernel_panics
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema kernel_panics y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| registros | about.labels.key/value (obsoleto) additional.fields |
| frame_backtrace | about.labels.key/value (obsoleto) additional.fields |
| module_backtrace | about.labels.key/value (obsoleto) additional.fields |
| dependencies | about.labels.key/value (obsoleto) additional.fields |
| name | target.process.command_line |
| os_version | target.platform_version |
| kernel_version | about.labels.key/value (obsoleto) additional.fields |
| system_model | target.asset.hardware.model |
| Tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| last_loaded | about.labels.key/value (obsoleto) additional.fields |
| last_unloaded | about.labels.key/value (obsoleto) additional.fields |
keychain_acls
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema keychain_acls y al sistema operativo macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| keychain_path | about.labels.key/value (obsoleto) additional.fields |
| autorizaciones | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.file.full_path |
| description | metadata.description |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
known_hosts
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema known_hosts y a los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| uid | target.user.userid |
| clave | about.labels.key/value (obsoleto) additional.fields |
| key_file | target.file.full_path |
último
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema last y a los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| nombre de usuario | target.user.user_display_name |
| tty | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| type_name | about.labels.key/value (obsoleto) additional.fields |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| host | target.hostname |
listening_ports
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema listening_ports y los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| pid | target.process.pid |
| puerto | target.port |
| protocolo | network.ip_protocol |
| familia | about.labels.key/value (obsoleto) additional.fields |
| Dirección | target.ip |
| fd | about.labels.key/value (obsoleto) additional.fields |
| socket | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.process.file.full_path |
| net_namespace | about.labels.key/value (obsoleto) additional.fields |
logged_in_users
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para el esquema logged_in_users y los SO macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| usuario | target.user.userid |
| tty | about.labels.key/value (obsoleto) additional.fields |
| host | target.hostname |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| sid | about.labels.key/value (obsoleto) additional.fields |
| registry_hive | about.labels.key/value (obsoleto) additional.fields |
logon_sessions
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema logon_sessions y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| logon_id | about.labels.key/value (obsoleto) additional.fields |
| usuario | target.user.user_display_name |
| logon_domain | about.labels.key/value (obsoleto) additional.fields |
| authentication_package | about.labels.key/value (obsoleto) additional.fields |
| logon_type | about.labels.key/value (obsoleto) additional.fields |
| session_id | network.session_id |
| logon_sid | about.labels.key/value (obsoleto) additional.fields |
| logon_time | about.labels.key/value (obsoleto) additional.fields |
| logon_server | about.labels.key/value (obsoleto) additional.fields |
| dns_domain_name | network.dns_domain |
| upn | about.labels.key/value (obsoleto) additional.fields |
| logon_script | about.labels.key/value (obsoleto) additional.fields |
| profile_path | target.file.full_path |
| home_directory | about.labels.key/value (obsoleto) additional.fields |
| home_directory_drive | about.labels.key/value (obsoleto) additional.fields |
lxd_certificates
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema lxd_certificates y al SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | security_result.detection_fields.key/value |
| tipo | security_result.detection_fields.key/value |
| huella digital | security_result.detection_fields.key/value |
| certificado | security_result.detection_fields.key/value |
lxd_networks
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema lxd_networks y al SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | about.labels.key/value (obsoleto) additional.fields |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| gestionada | about.labels.key/value (obsoleto) additional.fields |
| ipv4_address | about.labels.key/value (obsoleto) additional.fields |
| ipv6_address | about.labels.key/value (obsoleto) additional.fields |
| used_by | about.labels.key/value (obsoleto) additional.fields |
| bytes_received | network.received_bytes |
| bytes_sent | network.sent_bytes |
| packets_received | about.labels.key/value (obsoleto) additional.fields |
| packets_sent | about.labels.key/value (obsoleto) additional.fields |
| hwaddr | about.labels.key/value (obsoleto) additional.fields |
| estado | about.labels.key/value (obsoleto) additional.fields |
| mtu | about.labels.key/value (obsoleto) additional.fields |
managed_policies
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema managed_policies y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| dominio | target.administrative_domain |
| uuid | about.labels.key/value (obsoleto) additional.fields |
| name | about.labels.key/value (obsoleto) additional.fields |
| valor | about.labels.key/value (obsoleto) additional.fields |
| nombre de usuario | target.user.user_display_name |
| manual | about.labels.key/value (obsoleto) additional.fields |
memory_devices
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para los esquemas memory_devices y OS Linux y macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| controlador | about.labels.key/value (obsoleto) additional.fields |
| array_handle | about.labels.key/value (obsoleto) additional.fields |
| form_factor | about.labels.key/value (obsoleto) additional.fields |
| total_width | about.labels.key/value (obsoleto) additional.fields |
| data_width | about.labels.key/value (obsoleto) additional.fields |
| size | about.labels.key/value (obsoleto) additional.fields |
| set | about.labels.key/value (obsoleto) additional.fields |
| device_locator | about.labels.key/value (obsoleto) additional.fields |
| bank_locator | about.labels.key/value (obsoleto) additional.fields |
| memory_type | about.labels.key/value (obsoleto) additional.fields |
| memory_type_details | about.labels.key/value (obsoleto) additional.fields |
| max_speed | about.labels.key/value (obsoleto) additional.fields |
| configured_clock_speed | about.labels.key/value (obsoleto) additional.fields |
| Fabricante | target.asset.hardware.manufacturer |
| serial_number | target.asset.hardware.serial_number |
| asset_tag | target.asset.asset_id |
| part_number | about.labels.key/value (obsoleto) additional.fields |
| min_voltage | about.labels.key/value (obsoleto) additional.fields |
| max_voltage | about.labels.key/value (obsoleto) additional.fields |
| configured_voltage | about.labels.key/value (obsoleto) additional.fields |
ntdomains
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas ntdomains y OS Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | about.labels.key/value (obsoleto) additional.fields |
| client_site_name | about.labels.key/value (obsoleto) additional.fields |
| dc_site_name | about.labels.key/value (obsoleto) additional.fields |
| dns_forest_name | network.dns.questions.name |
| domain_controller_address | target.ip |
| domain_controller_name | about.labels.key/value (obsoleto) additional.fields |
| domain_name | target.administrative_domain |
| status | about.labels.key/value (obsoleto) additional.fields |
ntfs_acl_permissions
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes al esquema ntfs_acl_permissions y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| capital | about.labels.key/value (obsoleto) additional.fields |
| a la fila | about.labels.key/value (obsoleto) additional.fields |
| inherited_from | about.labels.key/value (obsoleto) additional.fields |
os_version
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema os_version y a los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | about.labels.key/value (obsoleto) additional.fields |
| version | principal.platform_version |
| importante | about.labels.key/value (obsoleto) additional.fields |
| menor | about.labels.key/value (obsoleto) additional.fields |
| patch | principal.platform_patch_level |
| build | about.labels.key/value (obsoleto) additional.fields |
| plataforma | principal.platform |
| platform_like | about.labels.key/value (obsoleto) additional.fields |
| nombre de código | about.labels.key/value (obsoleto) additional.fields |
| arco | about.labels.key/value (obsoleto) additional.fields |
| install_date | about.labels.key/value (obsoleto) additional.fields |
| pid_with_namespace | about.labels.key/value (obsoleto) additional.fields |
| mount_namespace_id | about.labels.key/value (obsoleto) additional.fields |
osquery_events
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para el esquema osquery_events y los sistemas operativos macOS, Linux, Windows y FreeBSD:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | target.resource.name |
| editor | about.label.key/value |
| tipo | about.label.key/value |
| suscripciones | about.label.key/value |
| eventos | about.label.key/value |
| actualiza | about.label.key/value |
| activa | about.label.key/value |
seguridad
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para los parches de esquema y el SO Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| csname | target.hostname |
| hotfix_id | about.labels.key/value (obsoleto) additional.fields |
| caption | about.labels.key/value (obsoleto) additional.fields |
| description | metadata.description |
| fix_comments | about.labels.key/value (obsoleto) additional.fields |
| installed_by | about.labels.key/value (obsoleto) additional.fields |
| install_date | about.labels.key/value (obsoleto) additional.fields |
| installed_on | about.labels.key/value (obsoleto) additional.fields |
pci_devices
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema pci_devices y los SO Linux y macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| pci_slot | principal.labels.key/value (obsoleto) additional.fields |
| pci_class | principal.labels.key/value (obsoleto) additional.fields |
| controlador | principal.labels.key/value (obsoleto) additional.fields |
| vendor | principal.labels.key/value (obsoleto) additional.fields |
| vendor_id | principal.labels.key/value (obsoleto) additional.fields |
| modelo | principal.asset.hardware.model |
| model_id | principal.labels.key/value (obsoleto) additional.fields |
| subsistema | principal.labels.key/value (obsoleto) additional.fields |
| express | principal.labels.key/value (obsoleto) additional.fields |
| Rayo | principal.labels.key/value (obsoleto) additional.fields |
| extraíble | principal.labels.key/value (obsoleto) additional.fields |
| pci_class_id | principal.labels.key/value (obsoleto) additional.fields |
| pci_subclass_id | principal.labels.key/value (obsoleto) additional.fields |
| pci_subclass | principal.labels.key/value (obsoleto) additional.fields |
| subsystem_vendor_id | principal.labels.key/value (obsoleto) additional.fields |
| subsystem_vendor | principal.labels.key/value (obsoleto) additional.fields |
| subsystem_model_id | principal.labels.key/value (obsoleto) additional.fields |
| subsystem_model | principal.labels.key/value (obsoleto) additional.fields |
tuberías
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para los pipes de esquema y OS Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| pid | target.process.pid |
| name | target.resource.name |
| instances | about.labels.key/value (obsoleto) additional.fields |
| max_instances | about.labels.key/value (obsoleto) additional.fields |
| flags | about.labels.key/value (obsoleto) additional.fields |
powershell_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema powershell_events y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| Tiempo | metadata.collected_timestamp |
| datetime | about.labels.key/value (obsoleto) additional.fields |
| script_block_id | about.labels.key/value (obsoleto) additional.fields |
| script_block_count | about.labels.key/value (obsoleto) additional.fields |
| script_text | about.labels.key/value (obsoleto) additional.fields |
| script_name | about.labels.key/value (obsoleto) additional.fields |
| script_path | target.file.full_path |
| cosine_similarity | about.labels.key/value (obsoleto) additional.fields |
process_envs
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema process_envs y los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| pid | target.process.pid |
| clave | about.labels.key |
| valor | about.labels.value |
process_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema process_events y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| version | target.platform_version |
| seq_num | about.labels.key/value (obsoleto) additional.fields |
| global_seq_num | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| ruta | target.file.full_path |
| parent | target.process.parent_process.pid |
| original_parent | about.labels.key/value (obsoleto) additional.fields |
| cmdline | target.process.command_line |
| cmdline_count | about.labels.key/value (obsoleto) additional.fields |
| env | about.labels.key/value (obsoleto) additional.fields |
| env_count | about.labels.key/value (obsoleto) additional.fields |
| cwd | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| euid | about.labels.key/value (obsoleto) additional.fields |
| gid | target.group.product_object_id |
| egid | about.labels.key/value (obsoleto) additional.fields |
| nombre de usuario | target.user.user_display_name |
| signing_id | about.labels.key/value (obsoleto) additional.fields |
| team_id | about.labels.key/value (obsoleto) additional.fields |
| cdhash | about.labels.key/value (obsoleto) additional.fields |
| platform_binary | about.labels.key/value (obsoleto) additional.fields |
| exit_code | about.labels.key/value (obsoleto) additional.fields |
| child_pid | about.labels.key/value (obsoleto) additional.fields |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| event_type | about.labels.key/value (obsoleto) additional.fields |
| EID | about.labels.key/value (obsoleto) additional.fields |
process_file_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema process_file_events y al SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| operación | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| ppid | target.process.parent_process.pid |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| Ejecutable | about.labels.key/value (obsoleto) additional.fields |
| parcial | about.labels.key/value (obsoleto) additional.fields |
| cwd | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.file.full_path |
| dest_path | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| auid | about.labels.key/value (obsoleto) additional.fields |
| euid | about.labels.key/value (obsoleto) additional.fields |
| egid | about.labels.key/value (obsoleto) additional.fields |
| fsuid | about.labels.key/value (obsoleto) additional.fields |
| fsgid | about.labels.key/value (obsoleto) additional.fields |
| suid | about.labels.key/value (obsoleto) additional.fields |
| sgid | about.labels.key/value (obsoleto) additional.fields |
| Tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
process_open_sockets
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema process_open_sockets y a los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| pid | principal.process.pid |
| fd | about.labels.key/value (obsoleto) additional.fields |
| socket | about.labels.key/value (obsoleto) additional.fields |
| familia | about.labels.key/value (obsoleto) additional.fields |
| protocolo | about.labels.key/value (obsoleto) additional.fields |
| local_address | principal.ip |
| remote_address | target.ip |
| local_port | principal.port |
| remote_port | target.port |
| ruta | target.file.full_path |
| estado | about.labels.key/value (obsoleto) additional.fields |
| net_namespace | about.labels.key/value (obsoleto) additional.fields |
procesos
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para los procesos de esquema y los sistemas operativos macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| pid | target.process.pid |
| name | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.process.file.full_path |
| cmdline | target.process.command_line |
| estado | target.process.attribute.labels.key/value |
| cwd | about.labels.key/value (obsoleto) additional.fields |
| raíz | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| euid | about.labels.key/value (obsoleto) additional.fields |
| egid | about.labels.key/value (obsoleto) additional.fields |
| suid | about.labels.key/value (obsoleto) additional.fields |
| sgid | about.labels.key/value (obsoleto) additional.fields |
| on_disk | about.labels.key/value (obsoleto) additional.fields |
| wired_size | about.labels.key/value (obsoleto) additional.fields |
| resident_size | about.labels.key/value (obsoleto) additional.fields |
| total_size | about.labels.key/value (obsoleto) additional.fields |
| user_time | about.labels.key/value (obsoleto) additional.fields |
| system_time | about.labels.key/value (obsoleto) additional.fields |
| disk_bytes_read | about.labels.key/value (obsoleto) additional.fields |
| disk_bytes_written | about.labels.key/value (obsoleto) additional.fields |
| start_time | about.labels.key/value (obsoleto) additional.fields |
| parent | target.process.parent_process.pid |
| pgroup | about.labels.key/value (obsoleto) additional.fields |
| Hilos | about.labels.key/value (obsoleto) additional.fields |
| bonito | about.labels.key/value (obsoleto) additional.fields |
| elevated_token | about.labels.key/value (obsoleto) additional.fields |
| secure_process | about.labels.key/value (obsoleto) additional.fields |
| protection_type | about.labels.key/value (obsoleto) additional.fields |
| virtual_process | about.labels.key/value (obsoleto) additional.fields |
| elapsed_time | about.labels.key/value (obsoleto) additional.fields |
| handle_count | about.labels.key/value (obsoleto) additional.fields |
| percent_processor_time | about.labels.key/value (obsoleto) additional.fields |
| upid | about.labels.key/value (obsoleto) additional.fields |
| uppid | about.labels.key/value (obsoleto) additional.fields |
| cpu_type | about.labels.key/value (obsoleto) additional.fields |
| cpu_subtype | about.labels.key/value (obsoleto) additional.fields |
programas
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para los programas de esquema y el SO Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | target.resource.name |
| version | target.platform_version |
| install_location | about.labels.key/value (obsoleto) additional.fields |
| install_source | about.labels.key/value (obsoleto) additional.fields |
| idioma | about.labels.key/value (obsoleto) additional.fields |
| editor | about.labels.key/value (obsoleto) additional.fields |
| uninstall_string | target.file.full_path |
| install_date | about.labels.key/value (obsoleto) additional.fields |
| identifying_number | about.labels.key/value (obsoleto) additional.fields |
scheduled_tasks
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para los esquemas scheduled_tasks y OS Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | target.resource.name |
| acción | security_result.action_details |
| ruta | target.file.full_path |
| habilitada | about.labels.key/value (obsoleto) additional.fields |
| estado | about.labels.key/value (obsoleto) additional.fields |
| oculto | about.labels.key/value (obsoleto) additional.fields |
| last_run_time | about.labels.key/value (obsoleto) additional.fields |
| next_run_time | about.labels.key/value (obsoleto) additional.fields |
| last_run_message | about.labels.key/value (obsoleto) additional.fields |
| last_run_code | about.labels.key/value (obsoleto) additional.fields |
seccomp_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema seccomp_events y el SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| Tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| auid | about.labels.key/value (obsoleto) additional.fields |
| uid | target.user.userid |
| gid | target.group.product_object_id |
| ses | about.labels.key/value (obsoleto) additional.fields |
| pid | target.process.pid |
| comm | about.labels.key/value (obsoleto) additional.fields |
| exe | target.file.full_path |
| sig | about.labels.key/value (obsoleto) additional.fields |
| arco | about.labels.key/value (obsoleto) additional.fields |
| syscall | about.labels.key/value (obsoleto) additional.fields |
| compat | about.labels.key/value (obsoleto) additional.fields |
| ip | about.labels.key/value (obsoleto) additional.fields |
| programación | about.labels.key/value (obsoleto) additional.fields |
seLinux_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas seLinux_events y OS Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| mensaje | metadata.description |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| Tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
sombra
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema shadow y el SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| password_status | about.labels.key/value (obsoleto) additional.fields |
| hash_alg | about.labels.key/value (obsoleto) additional.fields |
| last_change | about.labels.key/value (obsoleto) additional.fields |
| min | about.labels.key/value (obsoleto) additional.fields |
| máx. | about.labels.key/value (obsoleto) additional.fields |
| advertencia | about.labels.key/value (obsoleto) additional.fields |
| inactivo | about.labels.key/value (obsoleto) additional.fields |
| expire | about.labels.key/value (obsoleto) additional.fields |
| bandera | about.labels.key/value (obsoleto) additional.fields |
| nombre de usuario | principal.user.user_display_name |
shell_history
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el shell_history del esquema y los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| uid | principal.user.userid |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| comando | principal.process.command_line |
| history_file | principal.process.file.full_path |
shimcache
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema shimcache y el SO Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| entry | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.file.full_path |
| modified_time | target.file.last_modification_time |
| execution_flag | about.labels.key/value (obsoleto) additional.fields |
signature
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes a la firma del esquema y al SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| hash_resources | about.labels.key/value (obsoleto) additional.fields |
| arco | about.labels.key/value (obsoleto) additional.fields |
| firmada | target.file.pe_file.signature_info.verified |
| identificador | target.file.pe_file.signature_info.signer |
| cdhash | about.labels.key/value (obsoleto) additional.fields |
| team_identifier | about.labels.key/value (obsoleto) additional.fields |
| autoridad | about.labels.key/value (obsoleto) additional.fields |
sip_config
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema sip_config y el SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| config_flag | about.labels.key/value (obsoleto) additional.fields |
| habilitada | about.labels.key/value (obsoleto) additional.fields |
| enabled_nvram | about.labels.key/value (obsoleto) additional.fields |
socket_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema socket_events y los sistemas operativos Linux y macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| acción | security_result.action_details |
| pid | target.process.pid |
| ruta | target.process.file.full_path |
| fd | about.labels.key/value (obsoleto) additional.fields |
| auid | target.user.userid |
| status | about.labels.key/value (obsoleto) additional.fields |
| familia | about.labels.key/value (obsoleto) additional.fields |
| protocolo | about.labels.key/value (obsoleto) additional.fields |
| local_address | principal.ip |
| remote_address | target.ip |
| local_port | principal.port |
| remote_port | target.port |
| socket | about.labels.key/value (obsoleto) additional.fields |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| Tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
| correcto | about.labels.key/value (obsoleto) additional.fields |
sudoers
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas sudoers y OS Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| fuente | about.labels.key/value (obsoleto) additional.fields |
| encabezado | about.labels.key/value (obsoleto) additional.fields |
| rule_details | about.labels.key/value (obsoleto) additional.fields |
syslog_events
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema syslog_events y el SO Linux:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| datetime | about.labels.key/value (obsoleto) additional.fields |
| host | target.hostname |
| gravedad | security_result.severity (enum) |
| centro | about.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| mensaje | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
system_info
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los sistemas operativos macOS, Linux, Windows y freebsd del esquema system_info:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| nombre de host | principal.administrative_domain |
| uuid | about.labels.key/value (obsoleto) additional.fields |
| cpu_type | about.labels.key/value (obsoleto) additional.fields |
| cpu_subtype | about.labels.key/value (obsoleto) additional.fields |
| cpu_brand | about.labels.key/value (obsoleto) additional.fields |
| cpu_physical_cores | about.labels.key/value (obsoleto) additional.fields |
| cpu_logical_cores | principal.asset.hardware.cpu_number_cores |
| cpu_microcode | about.labels.key/value (obsoleto) additional.fields |
| physical_memory | about.labels.key/value (obsoleto) additional.fields |
| hardware_vendor | about.labels.key/value (obsoleto) additional.fields |
| hardware_model | principal.asset.hardware.model |
| hardware_version | about.labels.key/value (obsoleto) additional.fields |
| hardware_serial | principal.asset.hardware.serial_number |
| board_vendor | about.labels.key/value (obsoleto) additional.fields |
| board_model | about.labels.key/value (obsoleto) additional.fields |
| board_version | about.labels.key/value (obsoleto) additional.fields |
| board_serial | about.labels.key/value (obsoleto) additional.fields |
| computer_name | about.labels.key/value (obsoleto) additional.fields |
| local_hostname | about.labels.key/value (obsoleto) additional.fields |
tpm_info
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema tpm_info y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| activado | about.labels.key/value (obsoleto) additional.fields |
| habilitada | about.labels.key/value (obsoleto) additional.fields |
| Propiedad | about.labels.key/value (obsoleto) additional.fields |
| manufacturer_version | about.labels.key/value (obsoleto) additional.fields |
| manufacturer_id | about.labels.key/value (obsoleto) additional.fields |
| manufacturer_name | principal.aseet.hardware.manufacturer |
| product_name | principal.resource.name |
| physical_presence_version | about.labels.key/value (obsoleto) additional.fields |
| spec_version | about.labels.key/value (obsoleto) additional.fields |
usb_devices
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas usb_devices y OS Linux y macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| usb_address | about.labels.key/value (obsoleto) additional.fields |
| usb_port | about.labels.key/value (obsoleto) additional.fields |
| vendor | about.labels.key/value (obsoleto) additional.fields |
| vendor_id | about.labels.key/value (obsoleto) additional.fields |
| version | about.labels.key/value (obsoleto) additional.fields |
| modelo | target.asset.hardware.model |
| model_id | about.labels.key/value (obsoleto) additional.fields |
| serial | target.asset.hardware.serial_number |
| clase | about.labels.key/value (obsoleto) additional.fields |
| subclase | about.labels.key/value (obsoleto) additional.fields |
| protocolo | about.labels.key/value (obsoleto) additional.fields |
| extraíble | about.labels.key/value (obsoleto) additional.fields |
user_events
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes al esquema user_events y a los sistemas operativos Linux, macOS y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| uid | principal.user.userid |
| auid | principal.user.attribute.labels.key/value |
| pid | target.process.pid |
| mensaje | metadata.description |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.file.full_path |
| Dirección | about.labels.key/value (obsoleto) additional.fields |
| terminal | about.labels.key/value (obsoleto) additional.fields |
| Tiempo | metadata.collected_timestamp |
| Tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
user_groups
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes para el esquema user_groups y los sistemas operativos Linux, macOS y Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| uid | principal.user.userid |
| gid | principal.group.product_object_id |
users
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para los usuarios del esquema y los SO macOS, Linux, Windows y freebsd:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| uid | principal.user.userid |
| gid | principal.user.group_identifiers(repeated) |
| uid_signed | about.labels.key/value (obsoleto) additional.fields |
| gid_signed | about.labels.key/value (obsoleto) additional.fields |
| nombre de usuario | principal.user.user_display_name |
| description | about.labels.key/value (obsoleto) additional.fields |
| directorio | about.labels.key/value (obsoleto) additional.fields |
| shell | about.labels.key/value (obsoleto) additional.fields |
| uuid | principal.user.product_object_id |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| is_hidden | about.labels.key/value (obsoleto) additional.fields |
| pid_with_namespace | about.labels.key/value (obsoleto) additional.fields |
wifi_networks
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para el esquema wifi_networks y el SO macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ssid | target.labels.key/value (obsoleto) additional.fields |
| network_name | target.labels.key/value (obsoleto) additional.fields |
| security_type | target.labels.key/value (obsoleto) additional.fields |
| last_connected | about.labels.key/value (obsoleto) additional.fields |
| Passpoint | about.labels.key/value (obsoleto) additional.fields |
| possibly_hidden | about.labels.key/value (obsoleto) additional.fields |
| roaming | about.labels.key/value (obsoleto) additional.fields |
| roaming_profile | about.labels.key/value (obsoleto) additional.fields |
| captive_portal | about.labels.key/value (obsoleto) additional.fields |
| auto_login | target.labels.key/value (obsoleto) additional.fields |
| temporarily_disabled | target.labels.key/value (obsoleto) additional.fields |
| inhabilitada | target.labels.key/value (obsoleto) additional.fields |
windows_crashes
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas Windows_crashes y OS Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| datetime | about.labels.key/value (obsoleto) additional.fields |
| module | about.labels.key/value (obsoleto) additional.fields |
| ruta | target.process.file.full_path |
| pid | target.process.pid |
| tid | about.labels.key/value (obsoleto) additional.fields |
| version | about.labels.key/value (obsoleto) additional.fields |
| process_uptime | about.labels.key/value (obsoleto) additional.fields |
| stack_trace | about.labels.key/value (obsoleto) additional.fields |
| exception_code | about.labels.key/value (obsoleto) additional.fields |
| exception_message | about.labels.key/value (obsoleto) additional.fields |
| exception_address | about.labels.key/value (obsoleto) additional.fields |
| registros | about.labels.key/value (obsoleto) additional.fields |
| command_line | target.process.command_line |
| current_directory | about.labels.key/value (obsoleto) additional.fields |
| nombre de usuario | target.user.user_display_name |
| machine_name | about.labels.key/value (obsoleto) additional.fields |
| major_version | about.labels.key/value (obsoleto) additional.fields |
| minor_version | about.labels.key/value (obsoleto) additional.fields |
| build_number | target.platform_version |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| crash_path | about.labels.key/value (obsoleto) additional.fields |
windows_eventlog
El analizador de eventos de Windows (WINEVTLOG) asigna estos eventos. Para obtener más información, consulta Recoger datos de eventos de Microsoft Windows.
windows_events
El analizador de eventos de Windows (WINEVTLOG) asigna estos eventos. Para obtener más información, consulta el artículo Recoger datos de eventos de Microsoft Windows.
windows_firewall_rules
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema Windows_firewall_rules y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | about.labels.key/value (obsoleto) additional.fields |
| app_name | target.application |
| acción | security_result.action (enum) |
| habilitada | about.labels.key/value (obsoleto) additional.fields |
| agrupación | about.labels.key/value (obsoleto) additional.fields |
| direction | network.direction |
| protocolo | network.ip_protocol |
| local_addresses | principal.ip |
| remote_addresses | target.ip |
| local_ports | principal.port |
| remote_ports | target.port |
| icmp_types_codes | about.labels.key/value (obsoleto) additional.fields |
| profile_domain | about.labels.key/value (obsoleto) additional.fields |
| profile_private | about.labels.key/value (obsoleto) additional.fields |
| profile_public | about.labels.key/value (obsoleto) additional.fields |
| service_name | about.labels.key/value (obsoleto) additional.fields |
windows_security_center
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema Windows_security_center y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| cortafuegos | security_result.detection_fields.key/value |
| actualización automática | security_result.detection_fields.key/value |
| Antivirus | security_result.detection_fields.key/value |
| software antiespía | security_result.detection_fields.key/value |
| internet_settings | security_result.detection_fields.key/value |
| Windows_security_center_service | security_result.detection_fields.key/value |
| user_account_control | security_result.detection_fields.key/value |
windows_security_products
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes a los esquemas Windows_security_products y OS Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| tipo | about.labels.key/value (obsoleto) additional.fields |
| name | target.resource.name |
| estado | about.labels.key/value (obsoleto) additional.fields |
| state_timestamp | about.labels.key/value (obsoleto) additional.fields |
| remediation_path | about.labels.key/value (obsoleto) additional.fields |
| signatures_up_to_date | about.labels.key/value (obsoleto) additional.fields |
wmi_bios_info
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes al esquema wmi_bios_info y al sistema operativo Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| name | about.labels.key/value (obsoleto) additional.fields |
| valor | about.labels.key/value (obsoleto) additional.fields |
yara
En la siguiente tabla se enumeran los campos de registro y las asignaciones de UDM correspondientes para los esquemas yara y OS Linux, macOS, freebsd y Windows:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| ruta | target.file.full_path |
| coincide | about.labels.key/value (obsoleto) additional.fields |
| recuento | about.labels.key/value (obsoleto) additional.fields |
| sig_group | security_result.detection_fields.key/value |
| sigfile | security_result.detection_fields.key/value |
| sigrule | security_result.detection_fields.key/value |
| cadenas | about.labels.key/value (obsoleto) additional.fields |
| etiquetas | about.labels.key/value (obsoleto) additional.fields |
| sigurl | security_result.detection_fields.key/value |
yara_events
En la siguiente tabla se indican los campos de registro y las asignaciones de UDM correspondientes a los esquemas yara_events y OS Linux y macOS:
| Campo de registro | Asignación de UDM |
|---|---|
| metadata.event_type se asigna a SETTING_MODIFICATION | |
| target_path | target.file.full_path |
| categoría | about.labels.key/value (obsoleto) additional.fields |
| acción | security_result.action_details |
| transaction_id | security_result.detection_fields.key/value |
| coincide | about.labels.key/value (obsoleto) additional.fields |
| recuento | about.labels.key/value (obsoleto) additional.fields |
| cadenas | about.labels.key/value (obsoleto) additional.fields |
| etiquetas | about.labels.key/value (obsoleto) additional.fields |
| Tiempo | about.labels.key/value (obsoleto) additional.fields |
| EID | metadata.product_log_id |
Siguientes pasos
¿Necesitas más ayuda? Recibe respuestas de los miembros de la comunidad y de los profesionales de Google SecOps.