Microsoft Windows AD 로그 수집
이 문서에는 다음 정보가 포함되어 있습니다.
- 배포 아키텍처, 설치 단계, Google Security Operations 파서에서 지원하는 Microsoft Windows Active Directory 이벤트용 로그를 생성하는 데 필요한 구성. Google Security Operations 데이터 수집에 대한 개요는 Google Security Operations에 데이터 수집을 참고하세요.
- 파서에서 원래 로그의 필드를 Google Security Operations 통합 데이터 모델 필드에 매핑하는 방식에 대한 정보
배포 아키텍처에 따라 Bindplane 에이전트나 NXLog 에이전트를 구성하여 Microsoft Windows Active Directory 로그를 Google Security Operations로 수집합니다. Bindplane 에이전트를 사용하여 Windows Active Directory의 로그를 Google Security Operations로 전달하는 것이 좋습니다.
이 문서의 정보는 WINDOWS_AD 수집 라벨이 있는 파서에 적용됩니다. 수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다.
시작하기 전에
Bindplane 에이전트나 NXLog 에이전트를 구성하기 전에 다음 작업을 완료합니다.
- UTC 시간대를 사용하도록 모든 시스템을 구성합니다.
- Microsoft Windows AD 서버 구성
- 지원되는 기기 및 버전 검토
- 지원되는 로그 유형을 검토합니다.
Microsoft Windows AD 서버 구성
각 Microsoft Windows Active Directory 서버에서 로그 데이터를 출력 파일에 저장하도록 PowerShell 스크립트를 만들고 구성합니다. Bindplane 에이전트 또는 NXLog 에이전트가 출력 파일을 읽습니다.
# Set the location where the log file will be written $OUTPUT_FILENAME="<Path_of_the_output_file>" If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue} # USER_CONTEXT: Gets all Active Directory users and their properties. Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append } # ASSET_CONTEXT: Gets all Active Directory assets and their properties. Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }
다음을 바꿉니다.
$OUTPUT_FILENAME
값을 출력 파일의 위치로 바꿉니다.- 데이터를 JSON 형식으로 저장합니다.
- 인코딩을 UTF-8로 설정합니다.
Get-ADUser
및Get-ADComputer
cmdlet을 호출할 때-LDAPFilter
매개변수가 아닌-Filter
매개변수를 사용합니다.
스크립트를 실행하여 출력 파일에 데이터를 가져오고 기록하는 반복 태스크를 만듭니다.
- 작업 스케줄러 애플리케이션을 엽니다.
- 태스크 만들기를 클릭합니다.
- 태스크의 이름과 설명을 입력합니다.
- 가장 높은 권한으로 실행 체크박스를 선택하여 모든 데이터가 검색되었는지 확인합니다.
- 트리거 탭에서 태스크를 반복할 시점을 정의합니다.
- 작업 탭에서 새 작업을 추가하고 스크립트가 저장된 파일의 경로를 제공합니다.
지원되는 기기 및 버전 검토
Microsoft Windows Server는 Foundation, Essentials, Standard, Datacenter 버전으로 출시됩니다. 각 버전에서 생성된 로그의 이벤트 스키마는 다르지 않습니다.
Google Security Operations 파서는 다음 Microsoft Windows 서버 버전의 로그를 지원합니다.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Google Security Operations 파서는 NXLog Community Edition 또는 Enterprise Edition에서 수집한 로그를 지원합니다.
지원되는 로그 유형 검토
Google Security Operations 파서는 사용자 컨텍스트 및 애셋 컨텍스트에서 검색된 데이터를 파싱하고 정규화합니다. 영어 텍스트로 생성된 로그를 지원하며 영어가 아닌 언어로 생성된 로그는 지원하지 않습니다.
Bindplane 에이전트 구성
Bindplane 에이전트를 사용하여 Windows Active Directory의 로그를 Google Security Operations로 전달하는 것이 좋습니다.
설치 후 Bindplane 에이전트 서비스가 Windows 서비스 목록에 observIQ
서비스로 표시됩니다.
- 각 Windows Active Directory 서버에 Bindplane 에이전트를 설치합니다. Bindplane 에이전트 설치에 대한 자세한 내용은 Bindplane 에이전트 설치 안내를 참고하세요.
다음 콘텐츠로 Bindplane 에이전트의 구성 파일을 만듭니다.
receivers: filelog: include: [ `FILE_PATH` ] operators: - type: json_parser start_at: beginning windowseventlog/activedirectoryservice: channel: Directory Service raw: true processors: batch: exporters: chronicle/activedirectory: endpoint: https://malachiteingestion-pa.googleapis.com creds: '{ "type": "service_account", "project_id": "malachite-projectname", "private_key_id": `PRIVATE_KEY_ID`, "private_key": `PRIVATE_KEY`, "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com", "client_id": `CLIENT_ID`, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }' log_type: 'WINDOWS_AD' override_log_type: false raw_log_field: body customer_id: `CUSTOMER_ID` service: pipelines: logs/ads: receivers: - filelog - windowseventlog/activedirectoryservice processors: [batch] exporters: [chronicle/activedirectory]
다음을 바꿉니다.
Microsoft Windows AD 서버 구성에 언급된 PowerShell 스크립트의 출력이 저장된 파일의 경로가 포함된
FILE_PATH
PRIVATE_KEY_ID
,PRIVATE_KEY
,SERVICSERVICE_ACCOUNT_NAME
,PROJECT_ID
,CLIENT_ID
,CUSTOMER_ID
를 Google Cloud에서 다운로드할 수 있는 서비스 계정 JSON 파일의 각 값으로 바꿉니다. 서비스 계정 키에 대한 자세한 내용은 서비스 계정 키 만들기 및 삭제를 참고하세요.
Bindplane (이전 명칭: observIQ) 에이전트 서비스를 시작하려면 서비스 > 확장 > observIQ 서비스 > 시작을 선택합니다.
NXLog 에이전트 구성
다음 다이어그램에서는 Microsoft Windows 이벤트를 수집하고 Google Security Operations로 보내기 위해 설치된 NXLog 에이전트의 아키텍처를 보여줍니다. 이 정보를 사용자 환경과 비교하여 이러한 구성요소가 설치되어 있는지 확인합니다. 배포는 이 아키텍처와 다를 수 있고 더 복잡할 수 있습니다.
Bindplane 에이전트 대신 NXLog 에이전트를 사용하는 경우 다음을 확인합니다.
- Active Directory를 실행하는 각 Microsoft Windows Server에서
USER_CONTEXT
및ASSET_CONTEXT
데이터를 수집하도록 PowerShell 스크립트가 생성되고 구성됩니다. 자세한 내용은 Microsoft Windows AD 서버 구성을 참고하세요. - NXLog는 데이터를 중앙 Microsoft Windows Server 또는 Linux 서버로 전송하기 위해 각 Microsoft Windows AD 서버에 설치됩니다.
- Google Security Operations 전달자는 로그 데이터가 Google Security Operations로 전달되도록 중앙 Microsoft Windows Server 또는 Linux 서버에 설치됩니다.
NXLog 구성
- Windows Active Directory 서버에서 실행되는 각 수집기에 NXLog 에이전트를 설치합니다. 이 애플리케이션은 중앙 Microsoft Windows 또는 Linux 서버로 로그를 전달합니다. 자세한 내용은 NXLog 문서를 참고하세요.
각 NXLog 인스턴스에 대한 구성 파일을 만듭니다. NXLog
im_file
모듈을 사용하여 파일에서 읽고 줄을 파싱합니다.om_tcp
를 사용하여 데이터를 중앙 Microsoft Windows 또는 Linux 서버로 전달합니다.다음은 NXLog 구성의 예입니다.
<hostname>
및<port>
값을 대상 중앙 Microsoft Windows 또는 Linux 서버에 대한 정보로 바꿉니다.<Input in_adcontext>
섹션 및File
속성에서 PowerShell 스크립트로 작성된 출력 로그 파일의 경로를 추가합니다. 항상DirCheckInterval
및PollInterval
을 설정합니다. 이를 정의하지 않으면 NXLog는 1초마다 파일을 폴링합니다.define ROOT C:\Program Files\nxlog define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <hostname> define ADCONTEXT_OUTPUT_DESTINATION_PORT <port> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Input in_adcontext> Module im_file File "<Path_of_the_output_file>" DirCheckInterval 3600 PollInterval 3600 </Input> <Output out_chronicle_adcontext> Module om_tcp Host %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS% Port %ADCONTEXT_OUTPUT_DESTINATION_PORT% </Output> <Route ad_context_to_chronicle> Path in_adcontext => out_chronicle_adcontext </Route>
각 시스템에서 NXLog 서비스를 시작합니다.
중앙 서버에서 전달자 구성
Linux에서 전달자를 설치하고 구성하는 방법에 대한 자세한 내용은 Linux에서 전달자 설치 및 구성을 참고하세요. Microsoft Windows에서 전달자를 설치하고 구성하는 방법에 대한 자세한 내용은 Microsoft Windows에서 전달자 설치 및 구성을 참고하세요.
- UTC 시간대로 시스템을 구성합니다.
- 중앙 Microsoft Windows 또는 Linux 서버에 Google Security Operations 전달자를 설치합니다.
Google Security Operations 전달자를 구성하여 로그를 Google Security Operations에 전송합니다. 다음은 전달자 구성의 예시입니다.
- syslog: common: enabled: true data_type: WINDOWS_AD batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
지원되는 Windows AD 로그 형식
Windows AD 파서는 JSON 형식의 로그를 지원합니다.
지원되는 Windows AD 샘플 로그
JSON:
{ "GivenName": "user1", "Surname": "itadmin", "UserPrincipalName": "user1.itadmin@testdhcp2.local", "Enabled": true, "SamAccountName": "user1.itadmin", "SID": { "BinaryLength": 28, "AccountDomainSid": { "BinaryLength": 24, "AccountDomainSid": "S-1-2-3", "Value": "S-1-2-3" }, "Value": "S-1-2-3-4000" }, "DistinguishedName": "CN=test,CN=Users,DC=testdhcp2,DC=local", "Name": "test", "ObjectClass": "user", "ObjectGuid": "4bde3f8d-8e9e-4ded-9d71-126ba9cd1300", "PropertyNames": [ "AccountExpirationDate", "accountExpires", "AccountLockoutTime", "AccountNotDelegated", "AllowReversiblePasswordEncryption", "AuthenticationPolicy", "AuthenticationPolicySilo", "BadLogonCount", "badPasswordTime", "badPwdCount", "c", "CannotChangePassword", "CanonicalName", "Certificates", "City", "CN", "co", "codePage", "Company", "CompoundIdentitySupported", "Country", "countryCode", "Created", "createTimeStamp", "Deleted", "Department", "Description", "DisplayName", "DistinguishedName", "Division", "DoesNotRequirePreAuth", "dSCorePropagationData", "EmailAddress", "EmployeeID", "EmployeeNumber", "Enabled", "facsimileTelephoneNumber", "Fax", "GivenName", "HomeDirectory", "HomedirRequired", "HomeDrive", "HomePage", "HomePhone", "Initials", "instanceType", "ipPhone", "isDeleted", "KerberosEncryptionType", "l", "LastBadPasswordAttempt", "LastKnownParent", "lastLogoff", "lastLogon", "LastLogonDate", "lastLogonTimestamp", "LockedOut", "lockoutTime", "logonCount", "logonHours", "LogonWorkstations", "mail", "Manager", "MemberOf", "MNSLogonAccount", "mobile", "MobilePhone", "Modified", "modifyTimeStamp", "msDS-SupportedEncryptionTypes", "msDS-User-Account-Control-Computed", "Name", "nTSecurityDescriptor", "ObjectCategory", "ObjectClass", "ObjectGUID", "objectSid", "Office", "OfficePhone", "Organization", "OtherName", "pager", "PasswordExpired", "PasswordLastSet", "PasswordNeverExpires", "PasswordNotRequired", "physicalDeliveryOfficeName", "POBox", "PostalCode", "postOfficeBox", "PrimaryGroup", "primaryGroupID", "PrincipalsAllowedToDelegateToAccount", "ProfilePath", "ProtectedFromAccidentalDeletion", "pwdLastSet", "SamAccountName", "sAMAccountType", "ScriptPath", "sDRightsEffective", "ServicePrincipalNames", "SID", "SIDHistory", "SmartcardLogonRequired", "sn", "st", "State", "StreetAddress", "Surname", "telephoneNumber", "Title", "TrustedForDelegation", "TrustedToAuthForDelegation", "UseDESKeyOnly", "userAccountControl", "userCertificate", "userParameters", "UserPrincipalName", "uSNChanged", "uSNCreated", "whenChanged", "whenCreated", "wWWHomePage" ], "AddedProperties": [], "RemovedProperties": [], "ModifiedProperties": [], "PropertyCount": 123, "AccountExpirationDate": null, "accountExpires": 0, "AccountLockoutTime": "\\/Date(1631175863106)\\/", "AccountNotDelegated": true, "AllowReversiblePasswordEncryption": false, "AuthenticationPolicy": [], "AuthenticationPolicySilo": [], "BadLogonCount": 3, "badPasswordTime": 132756494631068585, "badPwdCount": 3, "c": "IN", "CannotChangePassword": false, "CanonicalName": "testdhcp2.local/Users/test", "Certificates": [], "City": "Ahmedabad", "CN": "test", "co": "India", "codePage": 0, "Company": "user", "CompoundIdentitySupported": [ false ], "Country": "IN", "countryCode": 356, "Created": "\\/Date(1628229355000)\\/", "createTimeStamp": "\\/Date(1628229355000)\\/", "Deleted": null, "Department": "it", "Description": "itadmin", "DisplayName": "user1", "Division": "test", "DoesNotRequirePreAuth": false, "dSCorePropagationData": [ "\\/Date(1631191510000)\\/", "\\/Date(-11644473600000)\\/" ], "EmailAddress": "user@dummy.local", "EmployeeID": null, "EmployeeNumber": null, "facsimileTelephoneNumber": "12345678", "Fax": "12345678", "HomeDirectory": "\\\\\\\\DHCP-AD01\\\\ADContext", "HomedirRequired": false, "HomeDrive": "G:", "HomePage": "www.test.com", "HomePhone": "123456789", "Initials": "user1", "instanceType": 4, "ipPhone": "1121", "isDeleted": null, "KerberosEncryptionType": [ 0 ], "l": "ahmedabad", "LastBadPasswordAttempt": "\\/Date(1631175863106)\\/", "LastKnownParent": null, "lastLogoff": 0, "lastLogon": 132756492460689244, "LastLogonDate": "\\/Date(1631175025098)\\/", "lastLogonTimestamp": 132756486250985369, "LockedOut": false, "lockoutTime": 132756494631068585, "logonCount": 2, "logonHours": [ 0, 0, 248, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 7, 0, 0, 0, 0, 0, 0 ], "LogonWorkstations": null, "mail": "user@dummy.local", "Manager": "CN=Administrator,CN=Users,DC=testdhcp2,DC=local", "MemberOf": [ "CN=Netwrix Auditor Client Users,CN=Users,DC=dnstest2,DC=local", "CN=Netwrix Auditor Administrators,CN=Users,DC=dnstest2,DC=local", "CN=Group Policy Creator Owners,CN=Users,DC=dnstest2,DC=local", "CN=Domain Admins,CN=Users,DC=dnstest2,DC=local", "CN=Enterprise Admins,CN=Users,DC=dnstest2,DC=local", "CN=Schema Admins,CN=Users,DC=dnstest2,DC=local", "CN=Remote Desktop Users,CN=Builtin,DC=dnstest2,DC=local", "CN=Administrators,CN=Builtin,DC=dnstest2,DC=local" ], "MNSLogonAccount": false, "mobile": "923456789", "MobilePhone": "823456789", "Modified": "\\/Date(1631277960000)\\/", "modifyTimeStamp": "\\/Date(1631277960000)\\/", "msDS-SupportedEncryptionTypes": 0, "msDS-User-Account-Control-Computed": 0, "nTSecurityDescriptor": { "AccessRightType": { "Module": "System.DirectoryServices.dll", "Assembly": "System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a", "TypeHandle": "System.RuntimeTypeHandle", "DeclaringMethod": null, "BaseType": "System.Enum", "UnderlyingSystemType": "System.DirectoryServices.ActiveDirectoryRights", "FullName": "System.DirectoryServices.ActiveDirectoryRights", "AssemblyQualifiedName": "System.DirectoryServices.ActiveDirectoryRights, System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a", "Namespace": "System.DirectoryServices", "GUID": "f65acb9b-4c77-33ff-8523-43e9cc2c5798", "IsEnum": true, "GenericParameterAttributes": null, "IsSecurityCritical": false, "IsSecuritySafeCritical": false, "IsSecurityTransparent": true, "IsGenericTypeDefinition": false, "IsGenericParameter": false, "GenericParameterPosition": null, "IsGenericType": false, "IsConstructedGenericType": false, "ContainsGenericParameters": false, "StructLayoutAttribute": "System.Runtime.InteropServices.StructLayoutAttribute", "Name": "ActiveDirectoryRights", "MemberType": 32, "DeclaringType": null, "ReflectedType": null, "MetadataToken": 33554438, "GenericTypeParameters": "", "DeclaredConstructors": "", "DeclaredEvents": "", "DeclaredFields": "Int32 value__ System.DirectoryServices.ActiveDirectoryRights Delete System.DirectoryServices.ActiveDirectoryRights ReadControl System.DirectoryServices.ActiveDirectoryRights WriteDacl System.DirectoryServices.ActiveDirectoryRights WriteOwner System.DirectoryServices.ActiveDirectoryRights Synchronize System.DirectoryServices.ActiveDirectoryRights AccessSystemSecurity System.DirectoryServices.ActiveDirectoryRights GenericRead System.DirectoryServices.ActiveDirectoryRights GenericWrite System.DirectoryServices.ActiveDirectoryRights GenericExecute System.DirectoryServices.ActiveDirectoryRights GenericAll System.DirectoryServices.ActiveDirectoryRights CreateChild System.DirectoryServices.ActiveDirectoryRights DeleteChild System.DirectoryServices.ActiveDirectoryRights ListChildren System.DirectoryServices.ActiveDirectoryRights Self System.DirectoryServices.ActiveDirectoryRights ReadProperty System.DirectoryServices.ActiveDirectoryRights WriteProperty System.DirectoryServices.ActiveDirectoryRights DeleteTree System.DirectoryServices.ActiveDirectoryRights ListObject System.DirectoryServices.ActiveDirectoryRights ExtendedRight", "DeclaredMembers": "Int32 value__ System.DirectoryServices.ActiveDirectoryRights Delete System.DirectoryServices.ActiveDirectoryRights ReadControl System.DirectoryServices.ActiveDirectoryRights WriteDacl System.DirectoryServices.ActiveDirectoryRights WriteOwner System.DirectoryServices.ActiveDirectoryRights Synchronize System.DirectoryServices.ActiveDirectoryRights AccessSystemSecurity System.DirectoryServices.ActiveDirectoryRights GenericRead System.DirectoryServices.ActiveDirectoryRights GenericWrite System.DirectoryServices.ActiveDirectoryRights GenericExecute System.DirectoryServices.ActiveDirectoryRights GenericAll System.DirectoryServices.ActiveDirectoryRights CreateChild System.DirectoryServices.ActiveDirectoryRights DeleteChild System.DirectoryServices.ActiveDirectoryRights ListChildren System.DirectoryServices.ActiveDirectoryRights Self System.DirectoryServices.ActiveDirectoryRights ReadProperty System.DirectoryServices.ActiveDirectoryRights WriteProperty System.DirectoryServices.ActiveDirectoryRights DeleteTree System.DirectoryServices.ActiveDirectoryRights ListObject System.DirectoryServices.ActiveDirectoryRights ExtendedRight", "DeclaredMethods": "", "DeclaredNestedTypes": "", "DeclaredProperties": "", "ImplementedInterfaces": "System.IComparable System.IFormattable System.IConvertible", "TypeInitializer": null, "IsNested": false, "Attributes": 257, "IsVisible": true, "IsNotPublic": false, "IsPublic": true, "IsNestedPublic": false, "IsNestedPrivate": false, "IsNestedFamily": false, "IsNestedAssembly": false, "IsNestedFamANDAssem": false, "IsNestedFamORAssem": false, "IsAutoLayout": true, "IsLayoutSequential": false, "IsExplicitLayout": false, "IsClass": false, "IsInterface": false, "IsValueType": true, "IsAbstract": false, "IsSealed": true, "IsSpecialName": false, "IsImport": false, "IsSerializable": true, "IsAnsiClass": true, "IsUnicodeClass": false, "IsAutoClass": false, "IsArray": false, "IsByRef": false, "IsPointer": false, "IsPrimitive": false, "IsCOMObject": false, "HasElementType": false, "IsContextful": false, "IsMarshalByRef": false, "GenericTypeArguments": "", "CustomAttributes": "[System.FlagsAttribute()]" }, "AccessRuleType": { "Module": "System.DirectoryServices.dll", "Assembly": "System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a", "TypeHandle": "System.RuntimeTypeHandle", "DeclaringMethod": null, "BaseType": "System.Security.AccessControl.ObjectAccessRule", "UnderlyingSystemType": "System.DirectoryServices.ActiveDirectoryAccessRule", "FullName": "System.DirectoryServices.ActiveDirectoryAccessRule", "AssemblyQualifiedName": "System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a", "Namespace": "System.DirectoryServices", "GUID": "0db7ea8c-53d9-3d6d-8b09-bb209cf0d0ae", "IsEnum": false, "GenericParameterAttributes": null, "IsSecurityCritical": false, "IsSecuritySafeCritical": false, "IsSecurityTransparent": true, "IsGenericTypeDefinition": false, "IsGenericParameter": false, "GenericParameterPosition": null, "IsGenericType": false, "IsConstructedGenericType": false, "ContainsGenericParameters": false, "StructLayoutAttribute": "System.Runtime.InteropServices.StructLayoutAttribute", "Name": "ActiveDirectoryAccessRule", "MemberType": 32, "DeclaringType": null, "ReflectedType": null, "MetadataToken": 33554445, "GenericTypeParameters": "", "DeclaredConstructors": "Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.DirectoryServices.ActiveDirectorySecurityInheritance) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.Guid, System.DirectoryServices.ActiveDirectorySecurityInheritance) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.DirectoryServices.ActiveDirectorySecurityInheritance, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.Guid, System.DirectoryServices.ActiveDirectorySecurityInheritance, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, Int32, System.Security.AccessControl.AccessControlType, System.Guid, Boolean, System.Security.AccessControl.InheritanceFlags, System.Security.AccessControl.PropagationFlags, System.Guid)", "DeclaredEvents": "", "DeclaredFields": "", "DeclaredMembers": "System.DirectoryServices.ActiveDirectoryRights get_ActiveDirectoryRights() System.DirectoryServices.ActiveDirectorySecurityInheritance get_InheritanceType() Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.DirectoryServices.ActiveDirectorySecurityInheritance) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.Guid, System.DirectoryServices.ActiveDirectorySecurityInheritance) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.DirectoryServices.ActiveDirectorySecurityInheritance, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AccessControlType, System.Guid, System.DirectoryServices.ActiveDirectorySecurityInheritance, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, Int32, System.Security.AccessControl.AccessControlType, System.Guid, Boolean, System.Security.AccessControl.InheritanceFlags, System.Security.AccessControl.PropagationFlags, System.Guid) System.DirectoryServices.ActiveDirectoryRights ActiveDirectoryRights System.DirectoryServices.ActiveDirectorySecurityInheritance InheritanceType", "DeclaredMethods": "System.DirectoryServices.ActiveDirectoryRights get_ActiveDirectoryRights() System.DirectoryServices.ActiveDirectorySecurityInheritance get_InheritanceType()", "DeclaredNestedTypes": "", "DeclaredProperties": "System.DirectoryServices.ActiveDirectoryRights ActiveDirectoryRights System.DirectoryServices.ActiveDirectorySecurityInheritance InheritanceType", "ImplementedInterfaces": "", "TypeInitializer": null, "IsNested": false, "Attributes": 1048577, "IsVisible": true, "IsNotPublic": false, "IsPublic": true, "IsNestedPublic": false, "IsNestedPrivate": false, "IsNestedFamily": false, "IsNestedAssembly": false, "IsNestedFamANDAssem": false, "IsNestedFamORAssem": false, "IsAutoLayout": true, "IsLayoutSequential": false, "IsExplicitLayout": false, "IsClass": true, "IsInterface": false, "IsValueType": false, "IsAbstract": false, "IsSealed": false, "IsSpecialName": false, "IsImport": false, "IsSerializable": false, "IsAnsiClass": true, "IsUnicodeClass": false, "IsAutoClass": false, "IsArray": false, "IsByRef": false, "IsPointer": false, "IsPrimitive": false, "IsCOMObject": false, "HasElementType": false, "IsContextful": false, "IsMarshalByRef": false, "GenericTypeArguments": "", "CustomAttributes": "" }, "AuditRuleType": { "Module": "System.DirectoryServices.dll", "Assembly": "System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a", "TypeHandle": "System.RuntimeTypeHandle", "DeclaringMethod": null, "BaseType": "System.Security.AccessControl.ObjectAuditRule", "UnderlyingSystemType": "System.DirectoryServices.ActiveDirectoryAuditRule", "FullName": "System.DirectoryServices.ActiveDirectoryAuditRule", "AssemblyQualifiedName": "System.DirectoryServices.ActiveDirectoryAuditRule, System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a", "Namespace": "System.DirectoryServices", "GUID": "4ad0312a-2ed0-3526-97ec-f9c6f310c5e0", "IsEnum": false, "GenericParameterAttributes": null, "IsSecurityCritical": false, "IsSecuritySafeCritical": false, "IsSecurityTransparent": true, "IsGenericTypeDefinition": false, "IsGenericParameter": false, "GenericParameterPosition": null, "IsGenericType": false, "IsConstructedGenericType": false, "ContainsGenericParameters": false, "StructLayoutAttribute": "System.Runtime.InteropServices.StructLayoutAttribute", "Name": "ActiveDirectoryAuditRule", "MemberType": 32, "DeclaringType": null, "ReflectedType": null, "MetadataToken": 33554453, "GenericTypeParameters": "", "DeclaredConstructors": "Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.DirectoryServices.ActiveDirectorySecurityInheritance) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.Guid, System.DirectoryServices.ActiveDirectorySecurityInheritance) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.DirectoryServices.ActiveDirectorySecurityInheritance, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.Guid, System.DirectoryServices.ActiveDirectorySecurityInheritance, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, Int32, System.Security.AccessControl.AuditFlags, System.Guid, Boolean, System.Security.AccessControl.InheritanceFlags, System.Security.AccessControl.PropagationFlags, System.Guid)", "DeclaredEvents": "", "DeclaredFields": "", "DeclaredMembers": "System.DirectoryServices.ActiveDirectoryRights get_ActiveDirectoryRights() System.DirectoryServices.ActiveDirectorySecurityInheritance get_InheritanceType() Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.DirectoryServices.ActiveDirectorySecurityInheritance) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.Guid, System.DirectoryServices.ActiveDirectorySecurityInheritance) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.DirectoryServices.ActiveDirectorySecurityInheritance, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, System.DirectoryServices.ActiveDirectoryRights, System.Security.AccessControl.AuditFlags, System.Guid, System.DirectoryServices.ActiveDirectorySecurityInheritance, System.Guid) Void .ctor(System.Security.Principal.IdentityReference, Int32, System.Security.AccessControl.AuditFlags, System.Guid, Boolean, System.Security.AccessControl.InheritanceFlags, System.Security.AccessControl.PropagationFlags, System.Guid) System.DirectoryServices.ActiveDirectoryRights ActiveDirectoryRights System.DirectoryServices.ActiveDirectorySecurityInheritance InheritanceType", "DeclaredMethods": "System.DirectoryServices.ActiveDirectoryRights get_ActiveDirectoryRights() System.DirectoryServices.ActiveDirectorySecurityInheritance get_InheritanceType()", "DeclaredNestedTypes": "", "DeclaredProperties": "System.DirectoryServices.ActiveDirectoryRights ActiveDirectoryRights System.DirectoryServices.ActiveDirectorySecurityInheritance InheritanceType", "ImplementedInterfaces": "", "TypeInitializer": null, "IsNested": false, "Attributes": 1048577, "IsVisible": true, "IsNotPublic": false, "IsPublic": true, "IsNestedPublic": false, "IsNestedPrivate": false, "IsNestedFamily": false, "IsNestedAssembly": false, "IsNestedFamANDAssem": false, "IsNestedFamORAssem": false, "IsAutoLayout": true, "IsLayoutSequential": false, "IsExplicitLayout": false, "IsClass": true, "IsInterface": false, "IsValueType": false, "IsAbstract": false, "IsSealed": false, "IsSpecialName": false, "IsImport": false, "IsSerializable": false, "IsAnsiClass": true, "IsUnicodeClass": false, "IsAutoClass": false, "IsArray": false, "IsByRef": false, "IsPointer": false, "IsPrimitive": false, "IsCOMObject": false, "HasElementType": false, "IsContextful": false, "IsMarshalByRef": false, "GenericTypeArguments": "", "CustomAttributes": "" }, "AreAccessRulesProtected": false, "AreAuditRulesProtected": false, "AreAccessRulesCanonical": true, "AreAuditRulesCanonical": true }, "ObjectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=testdhcp2,DC=local", "ObjectGUID": "4bde3f8d-8e9e-4ded-9d71-126ba9cd1300", "objectSid": { "BinaryLength": 28, "AccountDomainSid": { "BinaryLength": 24, "AccountDomainSid": "S-1-2-3", "Value": "S-1-2-3" }, "Value": "S-1-2-3-4000m" }, "Office": "db office", "OfficePhone": "91-123456789", "Organization": null, "OtherName": null, "pager": "234567890", "PasswordExpired": false, "PasswordLastSet": "\\/Date(1631174951326)\\/", "PasswordNeverExpires": false, "PasswordNotRequired": false, "physicalDeliveryOfficeName": "db office", "POBox": "dummy", "PostalCode": "380015", "postOfficeBox": [ "dummy" ], "PrimaryGroup": "CN=Domain Users,CN=Users,DC=testdhcp2,DC=local", "primaryGroupID": 513, "PrincipalsAllowedToDelegateToAccount": [], "ProfilePath": null, "ProtectedFromAccidentalDeletion": false, "pwdLastSet": 132756485513268133, "sAMAccountType": 805306368, "ScriptPath": null, "sDRightsEffective": 15, "ServicePrincipalNames": [], "SIDHistory": [], "SmartcardLogonRequired": false, "sn": "itadmin", "st": "Gujarat", "State": "Gujarat", "StreetAddress": "1,user street ,dummy,dummy", "telephoneNumber": "91-123456789", "Title": "it admin", "TrustedForDelegation": false, "TrustedToAuthForDelegation": false, "UseDESKeyOnly": false, "userAccountControl": 1049088, "userCertificate": [], "userParameters": null, "uSNChanged": 57594, "uSNCreated": 32800, "whenChanged": "\\/Date(1631277960000)\\/", "whenCreated": "\\/Date(1628229355000)\\/", "wWWHomePage": "www.test.com" }
필드 매핑 참조: 기기 로그 필드에서 UDM 필드로
이 섹션에서는 파서가 통합 로그 모델을 통합 데이터 모델 필드에 매핑하는 방법을 설명합니다.
필드 매핑 참조: WINDOWS_AD
다음 표에는 WINDOWS_AD
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.entity_type |
If the ObjectClass log field value is equal to user or is empty, then the metadata.entity_type UDM field is set to USER . Else, if the ObjectClass log field value is equal to computer , then the metadata.entity_type UDM field is set to ASSET . Else, if the ObjectClass log field value is equal to group , then the metadata.entity_type UDM field is set to GROUP . |
ObjectGuid |
entity.user.product_object_id |
If the ObjectClass log field value is equal to user or is empty, then if the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.user.product_object_id UDM field. Else, if the ObjectClass log field value is equal to computer , then if the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.asset.product_object_id UDM field. |
whenCreated |
metadata.creation_timestamp |
If the ObjectClass log field value is equal to user or is empty, then if the whenCreated log field value is not empty, then when_created is extracted from the whenCreated log field using a Grok pattern, and mapped to the entity.asset.attribute.creation_time UDM field. Else, if the ObjectClass log field value is equal to computer , then if the whenCreated log field value is not empty, then when_created is extracted from the whenCreated log field using a Grok pattern, and mapped to the metadata.creation_timestamp UDM field. Else, timestamp tz_left tz_right is extracted from the whenCreated log field using a Grok pattern, and mapped to the entity.asset.attribute.creation_time UDM field. |
DisplayName |
entity.user.user_display_name |
If the ObjectClass log field value is equal to user or is empty, then if the DisplayName log field value is not empty, then the DisplayName log field is mapped to the entity.user.user_display_name UDM field. |
GivenName |
entity.user.first_name |
If the ObjectClass log field value is equal to user or is empty, then if the GivenName log field value is not empty, then the GivenName log field is mapped to the entity.user.first_name UDM field. |
SamAccountName |
entity.user.userid |
If the ObjectClass log field value is equal to user or is empty, then if the SamAccountName log field value is not empty, then the SamAccountName log field is mapped to the entity.user.userid UDM field. If the ObjectClass log field value is equal to computer , then the SamAccountName log field is mapped to the entity.asset.asset_id UDM field. |
EmployeeID |
entity.user.employee_id |
If the EmployeeID log field value is not empty, then the EmployeeID log field is mapped to the entity.user.employee_id UDM field.Else the employeeID.0 log field is mapped to the entity.user.employee_id UDM field. |
Title |
entity.user.title |
If the Title log field value is not empty, then the Title log field is mapped to the entity.user.title UDM field. |
Surname |
entity.user.last_name |
If the ObjectClass log field value is equal to user or is empty, then if the Surname log field value is not empty, then if the sn log field is mapped to the entity.user.last_name UDM field. Else if Surname log field value is not empty, then the Surname log field is mapped to the entity.user.last_name UDM field. |
Company |
entity.user.company_name |
If the ObjectClass log field value is equal to user or is empty, then if the Company log field value is not empty, then the Company log field is mapped to the entity.user.company_name UDM field. |
City |
entity.user.personal_address.city |
If the ObjectClass log field value is equal to user or is empty, then if the City log field value is not empty, then the City log field is mapped to the entity.user.personal_address.city UDM field. |
Department |
entity.user.department |
If the ObjectClass log field value is equal to user or is empty, then if the Department log field value is not empty, then the Department log field is mapped to the entity.user.department UDM field. |
|
entity.user.email_addresses |
If the ObjectClass log field value is equal to user or is empty, then if the EmailAddress log field value is not empty, then the EmailAddress log field is mapped to the entity.user.email_addresses UDM field. Else, if the mail log field value is not empty, then the mail log field is mapped to the entity.user.email_addresses UDM field. |
HomePhone |
entity.user.phone_numbers |
If the ObjectClass log field value is equal to user or is empty, then if the HomePhone log field value is not empty, then the HomePhone log field is mapped to the entity.user.phone_numbers UDM field. Else if the telephoneNumber log field value is not empty, then the telephoneNumber log field is mapped to the entity.user.phone_numbers UDM field.
If the ObjectClass log field value is equal to user or is empty, then if the MobilePhone log field value is not empty, then the MobilePhone log field is mapped to the entity.user.phone_numbers UDM field.
If the ObjectClass log field value is equal to user or is empty, then if the otherMobile log field value is not empty, then the otherMobile log field is mapped to the entity.user.phone_numbers UDM field. |
StreetAddress |
entity.user.personal_address.name |
If the ObjectClass log field value is equal to user or is empty, then if the StreetAddress log field value is not empty, then the StreetAddress log field is mapped to the entity.user.personal_address.name UDM field. |
State |
entity.user.personal_address.state |
If the ObjectClass log field value is equal to user or is empty, then if the State log field value is not empty, then the State log field is mapped to the entity.user.personal_address.state UDM field. |
Country |
entity.user.personal_address.country_or_region |
If the ObjectClass log field value is equal to user or is empty, then if the Country log field value is not empty, then the Country log field is mapped to the entity.user.personal_address.country_or_region UDM field. |
Office |
entity.user.office_address.name |
If the ObjectClass log field value is equal to user or is empty, then if the Office log field value is not empty, then the Office log field is mapped to the entity.user.office_address.name UDM field. |
HomeDirectory |
entity.file.full_path |
If the ObjectClass log field value is equal to user or is empty, then if the HomeDirectory log field value is not empty, then the HomeDirectory log field is mapped to the entity.file.full_path UDM field. |
|
entity.user.managers.user_display_name |
If the ObjectClass log field value is equal to user or is empty, then if the Manager log field value is not empty, then manager_name is extracted from the Manager log field using a Grok pattern, and mapped to the entity.user.managers.user_display_name UDM field. |
|
entity.user.windows_sid |
If the SID.Value log field value is not empty, then the SID.Value field is mapped to the entity.user.windows_sid UDM field.Else, if the objectSid log field value is not empty, then the objectSid field is mapped to the entity.user.windows_sid UDM field.If the ObjectClass log field value is equal to user or is empty, then if the Manager log field value is not empty, then if Manager matches the regular expression pattern (S-\d-(\d+-){1,14}\d+) , then the Manager log field is mapped to the entity.user.managers.windows_sid UDM field. Else, the Manager log field is mapped to the entity.user.managers.userid UDM field. |
|
relations.relationship |
If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf , the relations.relationship UDM field is set to MEMBER . Else, if the ObjectClass log field value is equal to computer , then if the ManagedBy log field value is not empty, then the relations.relationship UDM field is set to ADMINISTERS .If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.relationship UDM field is set to MEMBER . |
|
relations.entity.group.group_display_name |
If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf , group_name is extracted from the index using a Grok pattern and mapped to the relations.entity.group.group_display_name UDM field. If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern and mapped to the relations.entity.group.group_display_name UDM field. |
|
relations.entity_type |
If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf , the relations.entity_type UDM field is set to GROUP . Else, if the ObjectClass log field value is equal to computer , then if the ManagedBy log field value is not empty, then the relations.entity_type UDM field is set to ASSET .If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.entity_type UDM field is set to GROUP . |
|
relations.direction |
If the ObjectClass log field value is equal to user or is empty, then if the MemberOf log field value is not empty, then for index in MemberOf , the relations.direction UDM field is set to UNIDIRECTIONAL . Else, if the ObjectClass log field value is equal to computer , then if the ManagedBy log field value is not empty, then the relations.direction UDM field is set to UNIDIRECTIONAL .If the PrimaryGroup log field value is not empty, then group_name is extracted from the PrimaryGroup log field using a Grok pattern, if the group_name extracted field value is not empty, then the relations.direction UDM field is set to UNIDIRECTIONAL . |
|
relations.entity.user.user_display_name |
If the ObjectClass log field value is equal to computer , then if the ManagedBy log field value is not empty, then user_name is extracted from the ManagedBy log field using a Grok pattern and mapped to the relations.entity.user.user_display_name UDM field. |
proxyAddresses |
entity.user.group_identifiers |
If the ObjectClass log field value is equal to user or is empty, then for index in proxyAddresses the index is mapped to entity.user.group_identifiers UDM field. |
|
entity.user.attribute.labels[Bad Password Count] |
If the ObjectClass log field value is equal to user or is empty, then if the badPwdCount log field value is not empty, then the entity.user.attribute.labels.key UDM field is set to Bad Password Count and the badPwdCount log field is mapped to the entity.user.attribute.labels.value UDM field. |
LastBadPasswordAttempt |
entity.user.last_bad_password_attempt_time |
If the ObjectClass log field value is equal to user or is empty, then if the LastBadPasswordAttempt log field value is not empty, then last_bad_password_attempt is extracted from the LastBadPasswordAttempt log field using a Grok pattern and mapped to the entity.user.last_bad_password_attempt_time UDM field. Else, if the ObjectClass log field value is equal to computer , then last_bad_password_attempt is extracted from the LastBadPasswordAttempt log field using a Grok pattern and mapped to the entity.user.last_bad_password_attempt_time UDM field. |
AccountExpirationDate |
entity.user.account_expiration_time |
If the ObjectClass log field value is equal to user or is empty, then if the AccountExpirationDate log field value is not empty, then account_expiration_date is extracted from the AccountExpirationDate log field using a Grok pattern and mapped to the entity.user.account_expiration_time UDM field. Else, if the ObjectClass log field value is equal to computer , then if the AccountExpirationDate log field value is not empty, then account_expiration_date is extracted from the AccountExpirationDate log field using a Grok pattern and mapped to the entity.user.account_expiration_time UDM field. |
PasswordLastSet |
entity.user.last_password_change_time |
If the ObjectClass log field value is equal to user or is empty, then if the PasswordLastSet log field value is not empty, then password_last_set is extracted from the PasswordLastSet log field using a Grok pattern and mapped to the entity.user.last_password_change_time UDM field. Else, if the ObjectClass log field value is equal to computer , then if the PasswordLastSet log field value is not empty, then password_last_set is extracted from the PasswordLastSet log field using a Grok pattern and mapped to the entity.user.last_password_change_time UDM field. |
PasswordNotRequired |
entity.user.attribute.labels[Password Not Required] |
If the ObjectClass log field value is equal to user or is empty, then if the PasswordNotRequired log field value is not empty, then the PasswordNotRequired log field is mapped to the entity.user.attribute.labels.value UDM field. If the ObjectClass log field value is equal to computer , then if the PasswordNotRequired log field value is not empty, then the PasswordNotRequired log field is mapped to the entity.asset.attribute.labels.value UDM field. |
ServicePrincipalNames |
entity.user.attribute.labels[Service Principal Names] |
If the ObjectClass log field value is equal to user or is empty, then if ServicePrincipalNames log field value is not empty, then for index in ServicePrincipalNames the index is mapped to the entity.user.attribute.labels.value UDM field.Else, if the ObjectClass log field value is equal to computer , then if ServicePrincipalNames log field value is not empty, then for index in ServicePrincipalNames , if index is equal to 0, then the index is mapped to the entity.user.attribute.labels.value UDM field. |
AccountLockoutTime |
entity.user.account_lockout_time |
If the ObjectClass log field value is equal to user or is empty, then if the AccountLockoutTime log field value is not empty, then account_lockout_time is extracted from the AccountLockoutTime log field using a Grok pattern and mapped to the entity.user.account_lockout_time UDM field. Else, if the ObjectClass log field value is equal to computer , then if the AccountLockoutTime log field value is not empty, then account_lockout_time is extracted from the AccountLockoutTime log field using a Grok pattern and mapped to the entity.user.account_lockout_time UDM field. |
whenChanged |
entity.asset.attribute.last_update_time |
If the ObjectClass log field value is equal to computer , then when_changed is extracted from the whenChanged log field using a Grok pattern, if whenChanged is not empty, then when_changed is mapped to the entity.asset.attribute.last_update_time UDM field.Else, timestamp and timezone is extracted from whenChanged log field using a Grok pattern and tz_left and tz_right is extracted from the timezone using a Grok pattern and timestamp tz_left tz_right is mapped to entity.asset.attribute.creation_time UDM field. |
DNSHostName |
entity.asset.hostname |
If the ObjectClass log field value is equal to computer , and the DNSHostName log field value is not empty, then the hostname portion of the DNSHostName field is mapped to the entity.asset.hostname UDM field. To extract the hostname, we split the DNSHostName into two parts: the text that appears before the first dot (.), which represents the hostname, and the text that appears after the first dot (.), which represents the domain. Only the portion before the first dot — the hostname — is mapped to entity.asset.hostname . |
countryCode |
entity.asset.location.country_or_region |
If the ObjectClass log field value is equal to computer , then if the countryCode log field value is not empty, then the countryCode log field is mapped to the entity.asset.location.country_or_region UDM field. |
|
entity.asset.platform_software.platform |
If the ObjectClass log field value is equal to computer , then if the OperatingSystem log field value is not empty, then if the OperatingSystem log field value matches the regular expression pattern (?i)windows , then the entity.asset.platform_software.platform UDM field is set to WINDOWS .Else, if the OperatingSystem log field value matches the regular expression pattern (?i)mac or the OperatingSystem log field value matches the regular expression pattern (?i)osx , then the entity.asset.platform_software.platform UDM field is set to MAC .Else, if the OperatingSystem log field value matches the regular expression pattern (?i)linux , then the entity.asset.platform_software.platform UDM field is set to LINUX . |
OperatingSystemVersion |
entity.asset.platform_software.platform_version |
If the ObjectClass log field value is equal to computer , then if the OperatingSystem log field value is not empty, then if the OperatingSystemVersion log field value is not empty, then OperatingSystem - OperatingSystemVersion is mapped to the entity.asset.platform_software.platform_version UDM field.Else if the OperatingSystemVersion log field value is not empty, then the OperatingSystemVersion log field is mapped to the entity.asset.platform_software.platform_version UDM field. |
OperatingSystemServicePack |
entity.asset.platform_software.platform_patch_level |
If the ObjectClass log field value is equal to computer , then if the OperatingSystemServicePack log field value is not empty, then the OperatingSystemServicePack log field is mapped to the entity.asset.platform_software.platform_patch_level UDM field. |
IPv4Address |
entity.asset.ip |
If the ObjectClass log field value is equal to computer , then if the IPv4Address log field value is not empty, then the IPv4Address log field is mapped to the entity.asset.ip UDM field. |
IPv6Address |
entity.asset.ip |
If the ObjectClass log field value is equal to computer , then if the IPv6Address log field value is not empty, then the IPv6Address log field is mapped to the entity.asset.ip UDM field. |
Location |
entity.asset.location.name |
If the ObjectClass log field value is equal to computer , then if the Location log field value is not empty, then the Location log field is mapped to the entity.asset.location.name UDM field. |
ObjectCategory |
entity.asset.category |
If the ObjectClass log field value is equal to computer , then if the ObjectCategory log field value is not empty, then object_category is extracted from the ObjectCategory log field using a Grok pattern, and mapped to the entity.asset.category UDM field. |
PasswordExpired |
entity.asset.attribute.labels[Password Expired] |
If the ObjectClass log field value is equal to computer , then if the PasswordExpired log field value is not empty, then the PasswordExpired log field is mapped to the entity.asset.attribute.labels.value UDM field.If the ObjectClass log field value is equal to user or is empty, then if the PasswordExpired log field value is not empty, then the PasswordExpired log field is mapped to the entity.user.attribute.labels.value UDM field. |
PasswordNeverExpires |
entity.asset.attribute.labels[Password Never Expires] |
If the ObjectClass log field value is equal to computer , then if the PasswordNeverExpires log field value is not empty, then the PasswordNeverExpires log field is mapped to the entity.asset.attribute.labels.value UDM field.If the ObjectClass log field value is equal to user or is empty, then if the PasswordNeverExpires log field value is not empty, then the PasswordNeverExpires log field is mapped to the entity.user.attribute.labels.value UDM field. |
|
entity.user.attribute.labels[Last Logon] |
If the ObjectClass log field value is equal to user or is empty, then if the lastLogon log field value is not equal to 0 , then the entity.user.attribute.labels.key UDM field is set to Last Logon and the lastLogon log field is mapped to the entity.user.attribute.labels.value UDM field. If the ObjectClass log field value is equal to computer , then if the lastLogon log field value is not equal to 0 , then the entity.asset.attribute.labels.key UDM field is set to Last Logon and the lastLogon log field is mapped to the entity.asset.attribute.labels.value UDM field. |
lastLogoff |
entity.asset.attribute.labels[Last Logoff] |
If the ObjectClass log field value is equal to computer , then if the lastLogoff log field value does not contain one of the following values, then the lastLogoff log field is mapped to the entity.asset.attribute.labels.value UDM field.
|
LastLogonDate |
entity.user.last_login_time |
If the ObjectClass log field value is equal to user or is empty, then if the LastLogonDate log field value is not empty, then last_logon_date is extracted from the LastLogonDate log field using a Grok pattern, and mapped to the entity.user.last_login_time UDM field.Else if the ObjectClass log field value is equal to computer ,then if the LastLogonDate log field value is not empty, then last_logon_date is extracted from the LastLogonDate log field using a Grok pattern, and mapped to the entity.user.last_login_time UDM field. |
HomePage |
entity.url |
If the HomePage log field value is not empty, then the HomePage log field is mapped to the entity.url UDM field. |
|
entity.administrative_domain |
If the CanonicalName log field value is not empty, then domain_name is extracted from the CanonicalName log field using a Grok pattern, and mapped to the entity.administrative_domain UDM field. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Microsoft . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Windows Active Directory . |
Description |
metadata.description |
The Description log field is mapped to the metadata.description UDM field. |
AccountNameHistory |
entity.group.attribute.labels[account_name_history] |
If the ObjectClass log field value is equal to group , then if the AccountNameHistory log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to account_name_history and the AccountNameHistory log field is mapped to the entity.group.attribute.labels.value UDM field. |
AccountNameHistory |
entity.group.attribute.labels[account_name_history] |
If the ObjectClass log field value is equal to group , then if the AccountNameHistory log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to account_name_history and the AccountNameHistory log field is mapped to the entity.group.attribute.labels.value UDM field. |
AdminCount |
entity.group.attribute.labels[admin_count] |
If the ObjectClass log field value is equal to group , then if the AdminCount log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to admin_count and the AdminCount log field is mapped to the entity.group.attribute.labels.value UDM field. |
AdminDescription |
entity.group.attribute.labels[admin_description] |
If the ObjectClass log field value is equal to group , then if the AdminDescription log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to admin_description and the AdminDescription log field is mapped to the entity.group.attribute.labels.value UDM field. |
AllowedAttributes |
entity.group.attribute.labels[allowed_attributes] |
If the ObjectClass log field value is equal to group , then if the AllowedAttributes log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to allowed_attributes and the AllowedAttributes log field is mapped to the entity.group.attribute.labels.value UDM field. |
AllowedAttributesEffective |
entity.group.attribute.labels[allowed_attributes_effective] |
If the ObjectClass log field value is equal to group , then if the AllowedAttributesEffective log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to allowed_attributes_effective and the AllowedAttributesEffective log field is mapped to the entity.group.attribute.labels.value UDM field. |
AllowedChildClasses |
entity.group.attribute.labels[allowed_child_classes] |
If the ObjectClass log field value is equal to group , then if the AllowedChildClasses log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to allowed_child_classes and the AllowedChildClasses log field is mapped to the entity.group.attribute.labels.value UDM field. |
AllowedChildClassesEffective |
entity.group.attribute.labels[allowed_child_classes_effective] |
If the ObjectClass log field value is equal to group , then if the AllowedChildClassesEffective log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to allowed_child_classes_effective and the AllowedChildClassesEffective log field is mapped to the entity.group.attribute.labels.value UDM field. |
AltSecurityIdentities |
entity.group.attribute.labels[alt_security_identities] |
If the ObjectClass log field value is equal to group , then if the AltSecurityIdentities log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to alt_security_identities and the AltSecurityIdentities log field is mapped to the entity.group.attribute.labels.value UDM field. |
BridgeheadServerListBL |
entity.group.attribute.labels[bridgehead_server_list_bl] |
If the ObjectClass log field value is equal to group , then if the BridgeheadServerListBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to bridgehead_server_list_bl and the BridgeheadServerListBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
CommonName |
entity.group.attribute.labels[common_name] |
If the ObjectClass log field value is equal to group , then if the CommonName log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to common_name and the CommonName log field is mapped to the entity.group.attribute.labels.value UDM field. |
ControlAccessRights |
entity.group.attribute.labels[control_access_rights] |
If the ObjectClass log field value is equal to group , then if the ControlAccessRights log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to control_access_rights and the ControlAccessRights log field is mapped to the entity.group.attribute.labels.value UDM field. |
DisplayNamePrintable |
entity.group.attribute.labels[display_name_printable] |
If the ObjectClass log field value is equal to group , then if the DisplayNamePrintable log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to display_name_printable and the DisplayNamePrintable log field is mapped to the entity.group.attribute.labels.value UDM field. |
DSASignature |
entity.group.attribute.labels[dsa_signature] |
If the ObjectClass log field value is equal to group , then if the DSASignature log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to dsa_signature and the DSASignature log field is mapped to the entity.group.attribute.labels.value UDM field. |
DSCorePropagationData |
entity.group.attribute.labels[ds_core_propagation_data] |
If the ObjectClass log field value is equal to group , then if the DSCorePropagationData log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ds_core_propagation_data and the DSCorePropagationData log field is mapped to the entity.group.attribute.labels.value UDM field. |
ExtensionName |
entity.group.attribute.labels[extension_name] |
If the ObjectClass log field value is equal to group , then if the ExtensionName log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to extension_name and the ExtensionName log field is mapped to the entity.group.attribute.labels.value UDM field. |
Flags |
entity.group.attribute.labels[flags] |
If the ObjectClass log field value is equal to group , then if the Flags log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to flags and the Flags log field is mapped to the entity.group.attribute.labels.value UDM field. |
FromEntry |
entity.group.attribute.labels[from_entry] |
If the ObjectClass log field value is equal to group , then if the FromEntry log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to from_entry and the FromEntry log field is mapped to the entity.group.attribute.labels.value UDM field. |
FrsComputerReferenceBL |
entity.group.attribute.labels[frs_computer_reference_bl] |
If the ObjectClass log field value is equal to group , then if the FrsComputerReferenceBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to frs_computer_reference_bl and the FrsComputerReferenceBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
FRSMemberReferenceBL |
entity.group.attribute.labels[frs_member_reference_bl] |
If the ObjectClass log field value is equal to group , then if the FRSMemberReferenceBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to frs_member_reference_bl and the FRSMemberReferenceBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
FSMORoleOwner |
entity.group.attribute.labels[fsmo_role_owner] |
If the ObjectClass log field value is equal to group , then if the FSMORoleOwner log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to fsmo_role_owner and the FSMORoleOwner log field is mapped to the entity.group.attribute.labels.value UDM field. |
GarbageCollPeriod |
entity.group.attribute.labels[garbage_coll_period] |
If the ObjectClass log field value is equal to group , then if the GarbageCollPeriod log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to garbage_coll_period and the GarbageCollPeriod log field is mapped to the entity.group.attribute.labels.value UDM field. |
GroupAttributes |
entity.group.attribute.labels[group_attributes] |
If the ObjectClass log field value is equal to group , then if the GroupAttributes log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to group_attributes and the GroupAttributes log field is mapped to the entity.group.attribute.labels.value UDM field. |
GroupMembershipSAM |
entity.group.attribute.labels[group_membership_sam] |
If the ObjectClass log field value is equal to group , then if the GroupMembershipSAM log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to group_membership_sam and the GroupMembershipSAM log field is mapped to the entity.group.attribute.labels.value UDM field. |
GroupType |
entity.group.attribute.labels[group_type] |
If the ObjectClass log field value is equal to group , then if the GroupType log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to group_type and the GroupType log field is mapped to the entity.group.attribute.labels.value UDM field. |
InstanceType |
entity.group.attribute.labels[instance_type] |
If the ObjectClass log field value is equal to group , then if the InstanceType log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to instance_type and the InstanceType log field is mapped to the entity.group.attribute.labels.value UDM field. |
IsCriticalSystemObject |
entity.group.attribute.labels[is_critical_system_object] |
If the ObjectClass log field value is equal to group , then if the IsCriticalSystemObject log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to is_critical_system_object and the IsCriticalSystemObject log field is mapped to the entity.group.attribute.labels.value UDM field. |
IsDeleted |
entity.group.attribute.labels[is_deleted] |
If the ObjectClass log field value is equal to group , then if the IsDeleted log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to is_deleted and the IsDeleted log field is mapped to the entity.group.attribute.labels.value UDM field. |
IsMemberOfDL |
entity.group.attribute.labels[is_member_of_dl] |
If the ObjectClass log field value is equal to group , then if the IsMemberOfDL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to is_member_of_dl and the IsMemberOfDL log field is mapped to the entity.group.attribute.labels.value UDM field. |
IsPrivilegeHolder |
entity.group.attribute.labels[is_privilege_holder] |
If the ObjectClass log field value is equal to group , then if the IsPrivilegeHolder log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to is_privilege_holder and the IsPrivilegeHolder log field is mapped to the entity.group.attribute.labels.value UDM field. |
LastKnownParent |
entity.group.attribute.labels[last_known_parent] |
If the ObjectClass log field value is equal to group , then if the LastKnownParent log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to last_known_parent and the LastKnownParent log field is mapped to the entity.group.attribute.labels.value UDM field. |
LegacyExchangeDN |
entity.group.attribute.labels[legacy_exchange_dn] |
If the ObjectClass log field value is equal to group , then if the LegacyExchangeDN log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to legacy_exchange_dn and the LegacyExchangeDN log field is mapped to the entity.group.attribute.labels.value UDM field. |
ManagedObjects |
entity.group.attribute.labels[managed_objects] |
If the ObjectClass log field value is equal to group , then if the ManagedObjects log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to managed_objects and the ManagedObjects log field is mapped to the entity.group.attribute.labels.value UDM field. |
MasteredBy |
entity.group.attribute.labels[mastered_by] |
If the ObjectClass log field value is equal to group , then if the MasteredBy log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to mastered_by and the MasteredBy log field is mapped to the entity.group.attribute.labels.value UDM field. |
ModifyTimeStamp |
entity.group.attribute.labels[modify_time_stamp] |
If the ObjectClass log field value is equal to group , then if the ModifyTimeStamp log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to modify_time_stamp and the ModifyTimeStamp log field is mapped to the entity.group.attribute.labels.value UDM field. |
MSDSConsistencyChildCount |
entity.group.attribute.labels[ms_ds_consistency_child_count] |
If the ObjectClass log field value is equal to group , then if the MSDSConsistencyChildCount log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_consistency_child_count and the MSDSConsistencyChildCount log field is mapped to the entity.group.attribute.labels.value UDM field. |
MSDSConsistencyGuid |
entity.group.attribute.labels[ms_ds_consistency_guid] |
If the ObjectClass log field value is equal to group , then if the MSDSConsistencyGuid log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_consistency_guid and the MSDSConsistencyGuid log field is mapped to the entity.group.attribute.labels.value UDM field. |
netbootSCPBL |
entity.group.attribute.labels[netboot_scp_bl] |
If the ObjectClass log field value is equal to group , then if the netbootSCPBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to netboot_scp_bl and the netbootSCPBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
NonSecurityMember |
entity.group.attribute.labels[non_security_member] |
If the ObjectClass log field value is equal to group , then if the NonSecurityMember log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to non_security_member and the NonSecurityMember log field is mapped to the entity.group.attribute.labels.value UDM field. |
NonSecurityMemberBL |
entity.group.attribute.labels[non_security_member_bl] |
If the ObjectClass log field value is equal to group , then if the NonSecurityMemberBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to non_security_member_bl and the NonSecurityMemberBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
NTGroupMembers |
entity.group.attribute.labels[nt_group_members] |
If the ObjectClass log field value is equal to group , then if the NTGroupMembers log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to nt_group_members and the NTGroupMembers log field is mapped to the entity.group.attribute.labels.value UDM field. |
NTSecurityDescriptor |
entity.group.attribute.labels[nt_security_descriptor] |
If the ObjectClass log field value is equal to group , then if the NTSecurityDescriptor log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to nt_security_descriptor and the NTSecurityDescriptor log field is mapped to the entity.group.attribute.labels.value UDM field. |
ObjDistName |
entity.group.attribute.labels[obj_dist_name] |
If the ObjectClass log field value is equal to group , then if the ObjDistName log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to obj_dist_name and the ObjDistName log field is mapped to the entity.group.attribute.labels.value UDM field. |
ObjectCategory |
entity.group.attribute.labels[object_category] |
If the ObjectClass log field value is equal to group , then if the ObjectCategory log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to object_category and the ObjectCategory log field is mapped to the entity.group.attribute.labels.value UDM field. |
ObjectVersion |
entity.group.attribute.labels[object_version] |
If the ObjectClass log field value is equal to group , then if the ObjectVersion log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to object_version and the ObjectVersion log field is mapped to the entity.group.attribute.labels.value UDM field. |
OperatorCount |
entity.group.attribute.labels[operator_count] |
If the ObjectClass log field value is equal to group , then if the OperatorCount log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to operator_count and the OperatorCount log field is mapped to the entity.group.attribute.labels.value UDM field. |
OtherWellKnownObjects |
entity.group.attribute.labels[other_well_known_objects] |
If the ObjectClass log field value is equal to group , then if the OtherWellKnownObjects log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to other_well_known_objects and the OtherWellKnownObjects log field is mapped to the entity.group.attribute.labels.value UDM field. |
PartialAttributeDeletionList |
entity.group.attribute.labels[partial_attribute_deletion_list] |
If the ObjectClass log field value is equal to group , then if the PartialAttributeDeletionList log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to partial_attribute_deletion_list and the PartialAttributeDeletionList log field is mapped to the entity.group.attribute.labels.value UDM field. |
PartialAttributeSet |
entity.group.attribute.labels[partial_attribute_set] |
If the ObjectClass log field value is equal to group , then if the PartialAttributeSet log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to partial_attribute_set and the PartialAttributeSet log field is mapped to the entity.group.attribute.labels.value UDM field. |
PossibleInferiors |
entity.group.attribute.labels[possible_inferiors] |
If the ObjectClass log field value is equal to group , then if the PossibleInferiors log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to possible_inferiors and the PossibleInferiors log field is mapped to the entity.group.attribute.labels.value UDM field. |
PrimaryGroupToken |
entity.group.attribute.labels[primary_group_token] |
If the ObjectClass log field value is equal to group , then if the PrimaryGroupToken log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to primary_group_token and the PrimaryGroupToken log field is mapped to the entity.group.attribute.labels.value UDM field. |
ProxiedObjectName |
entity.group.attribute.labels[proxied_object_name] |
If the ObjectClass log field value is equal to group , then if the ProxiedObjectName log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to proxied_object_name and the ProxiedObjectName log field is mapped to the entity.group.attribute.labels.value UDM field. |
ProxyAddresses |
entity.group.attribute.labels[proxy_addresses] |
If the ObjectClass log field value is equal to group , then if the ProxyAddresses log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to proxy_addresses and the ProxyAddresses log field is mapped to the entity.group.attribute.labels.value UDM field. |
QueryPolicyBL |
entity.group.attribute.labels[query_policy_bl] |
If the ObjectClass log field value is equal to group , then if the QueryPolicyBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to query_policy_bl and the QueryPolicyBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
RDN |
entity.group.attribute.labels[rdn] |
If the ObjectClass log field value is equal to group , then if the RDN log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to rdn and the RDN log field is mapped to the entity.group.attribute.labels.value UDM field. |
ReplPropertyMetaData |
entity.group.attribute.labels[repl_property_meta_data] |
If the ObjectClass log field value is equal to group , then if the ReplPropertyMetaData log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to repl_property_meta_data and the ReplPropertyMetaData log field is mapped to the entity.group.attribute.labels.value UDM field. |
ReplUpToDateVector |
entity.group.attribute.labels[repl_up_to_date_vector] |
If the ObjectClass log field value is equal to group , then if the ReplUpToDateVector log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to repl_up_to_date_vector and the ReplUpToDateVector log field is mapped to the entity.group.attribute.labels.value UDM field. |
Reports |
entity.group.attribute.labels[reports] |
If the ObjectClass log field value is equal to group , then if the Reports log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to reports and the Reports log field is mapped to the entity.group.attribute.labels.value UDM field. |
RepsFrom |
entity.group.attribute.labels[reps_from] |
If the ObjectClass log field value is equal to group , then if the RepsFrom log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to reps_from and the RepsFrom log field is mapped to the entity.group.attribute.labels.value UDM field. |
RepsTo |
entity.group.attribute.labels[reps_to] |
If the ObjectClass log field value is equal to group , then if the RepsTo log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to reps_to and the RepsTo log field is mapped to the entity.group.attribute.labels.value UDM field. |
Revision |
entity.group.attribute.labels[revision] |
If the ObjectClass log field value is equal to group , then if the Revision log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to revision and the Revision log field is mapped to the entity.group.attribute.labels.value UDM field. |
Rid |
entity.group.attribute.labels[rid] |
If the ObjectClass log field value is equal to group , then if the Rid log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to rid and the Rid log field is mapped to the entity.group.attribute.labels.value UDM field. |
SAMAccountName |
entity.group.attribute.labels[sam_account_name] |
If the ObjectClass log field value is equal to group , then if the SAMAccountName log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to sam_account_name and the SAMAccountName log field is mapped to the entity.group.attribute.labels.value UDM field. |
SAMAccountType |
entity.group.attribute.labels[sam_account_type] |
If the ObjectClass log field value is equal to group , then if the SAMAccountType log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to sam_account_type and the SAMAccountType log field is mapped to the entity.group.attribute.labels.value UDM field. |
SDRightsEffective |
entity.group.attribute.labels[sd_rights_effective] |
If the ObjectClass log field value is equal to group , then if the SDRightsEffective log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to sd_rights_effective and the SDRightsEffective log field is mapped to the entity.group.attribute.labels.value UDM field. |
SecurityIdentifier |
entity.group.attribute.labels[security_identifier] |
If the ObjectClass log field value is equal to group , then if the SecurityIdentifier log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to security_identifier and the SecurityIdentifier log field is mapped to the entity.group.attribute.labels.value UDM field. |
ServerReferenceBL |
entity.group.attribute.labels[server_reference_bl] |
If the ObjectClass log field value is equal to group , then if the ServerReferenceBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to server_reference_bl and the ServerReferenceBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
ShowInAddressBook |
entity.group.attribute.labels[show_in_address_book] |
If the ObjectClass log field value is equal to group , then if the ShowInAddressBook log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to show_in_address_book and the ShowInAddressBook log field is mapped to the entity.group.attribute.labels.value UDM field. |
ShowInAdvancedViewOnly |
entity.group.attribute.labels[show_in_advanced_view_only] |
If the ObjectClass log field value is equal to group , then if the ShowInAdvancedViewOnly log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to show_in_advanced_view_only and the ShowInAdvancedViewOnly log field is mapped to the entity.group.attribute.labels.value UDM field. |
SIDHistory |
entity.group.attribute.labels[sid_history] |
If the ObjectClass log field value is equal to group , then if the SIDHistory log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to sid_history and the SIDHistory log field is mapped to the entity.group.attribute.labels.value UDM field. |
SiteObjectBL |
entity.group.attribute.labels[site_object_bl] |
If the ObjectClass log field value is equal to group , then if the SiteObjectBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to site_object_bl and the SiteObjectBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
SubRefs |
entity.group.attribute.labels[sub_refs] |
If the ObjectClass log field value is equal to group , then if the SubRefs log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to sub_refs and the SubRefs log field is mapped to the entity.group.attribute.labels.value UDM field. |
SubSchemaSubEntry |
entity.group.attribute.labels[sub_schema_sub_entry] |
If the ObjectClass log field value is equal to group , then if the SubSchemaSubEntry log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to sub_schema_sub_entry and the SubSchemaSubEntry log field is mapped to the entity.group.attribute.labels.value UDM field. |
SupplementalCredentials |
entity.group.attribute.labels[supplemental_credentials] |
If the ObjectClass log field value is equal to group , then if the SupplementalCredentials log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to supplemental_credentials and the SupplementalCredentials log field is mapped to the entity.group.attribute.labels.value UDM field. |
SystemFlags |
entity.group.attribute.labels[system_flags] |
If the ObjectClass log field value is equal to group , then if the SystemFlags log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to system_flags and the SystemFlags log field is mapped to the entity.group.attribute.labels.value UDM field. |
TelephoneNumber |
entity.group.attribute.labels[telephone_number] |
If the ObjectClass log field value is equal to group , then if the TelephoneNumber log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to telephone_number and the TelephoneNumber log field is mapped to the entity.group.attribute.labels.value UDM field. |
TextEncodedORAddress |
entity.group.attribute.labels[text_encoded_or_address] |
If the ObjectClass log field value is equal to group , then if the TextEncodedORAddress log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to text_encoded_or_address and the TextEncodedORAddress log field is mapped to the entity.group.attribute.labels.value UDM field. |
TokenGroups |
entity.group.attribute.labels[token_groups] |
If the ObjectClass log field value is equal to group , then if the TokenGroups log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to token_groups and the TokenGroups log field is mapped to the entity.group.attribute.labels.value UDM field. |
TokenGroupsGlobalAndUniversal |
entity.group.attribute.labels[token_groups_global_and_universal] |
If the ObjectClass log field value is equal to group , then if the TokenGroupsGlobalAndUniversal log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to token_groups_global_and_universal and the TokenGroupsGlobalAndUniversal log field is mapped to the entity.group.attribute.labels.value UDM field. |
TokenGroupsNoGCAcceptable |
entity.group.attribute.labels[token_groups_no_gc_acceptable] |
If the ObjectClass log field value is equal to group , then if the TokenGroupsNoGCAcceptable log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to token_groups_no_gc_acceptable and the TokenGroupsNoGCAcceptable log field is mapped to the entity.group.attribute.labels.value UDM field. |
UserCert |
entity.group.attribute.labels[user_cert] |
If the ObjectClass log field value is equal to group , then if the UserCert log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to user_cert and the UserCert log field is mapped to the entity.group.attribute.labels.value UDM field. |
UserSMIMECertificate |
entity.group.attribute.labels[user_smime_certificate] |
If the ObjectClass log field value is equal to group , then if the UserSMIMECertificate log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to user_smime_certificate and the UserSMIMECertificate log field is mapped to the entity.group.attribute.labels.value UDM field. |
USNChanged |
entity.group.attribute.labels[usn_changed] |
If the ObjectClass log field value is equal to group , then if the USNChanged log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to usn_changed and the USNChanged log field is mapped to the entity.group.attribute.labels.value UDM field. |
USNCreated |
entity.group.attribute.labels[usn_created] |
If the ObjectClass log field value is equal to group , then if the USNCreated log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to usn_created and the USNCreated log field is mapped to the entity.group.attribute.labels.value UDM field. |
USNDSALastObjRemoved |
entity.group.attribute.labels[usn_dsa_last_obj_removed] |
If the ObjectClass log field value is equal to group , then if the USNDSALastObjRemoved log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to usn_dsa_last_obj_removed and the USNDSALastObjRemoved log field is mapped to the entity.group.attribute.labels.value UDM field. |
USNIntersite |
entity.group.attribute.labels[usn_intersite] |
If the ObjectClass log field value is equal to group , then if the USNIntersite log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to usn_intersite and the USNIntersite log field is mapped to the entity.group.attribute.labels.value UDM field. |
USNLastObjRem |
entity.group.attribute.labels[usn_last_obj_rem] |
If the ObjectClass log field value is equal to group , then if the USNLastObjRem log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to usn_last_obj_rem and the USNLastObjRem log field is mapped to the entity.group.attribute.labels.value UDM field. |
USNSource |
entity.group.attribute.labels[usn_source] |
If the ObjectClass log field value is equal to group , then if the USNSource log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to usn_source and the USNSource log field is mapped to the entity.group.attribute.labels.value UDM field. |
WbemPath |
entity.group.attribute.labels[wbem_path] |
If the ObjectClass log field value is equal to group , then if the WbemPath log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to wbem_path and the WbemPath log field is mapped to the entity.group.attribute.labels.value UDM field. |
WellKnownObjects |
entity.group.attribute.labels[well_known_objects] |
If the ObjectClass log field value is equal to group , then if the WellKnownObjects log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to well_known_objects and the WellKnownObjects log field is mapped to the entity.group.attribute.labels.value UDM field. |
WhenChanged |
entity.group.attribute.labels[when_changed] |
If the ObjectClass log field value is equal to group , then if the WhenChanged log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to when_changed and the WhenChanged log field is mapped to the entity.group.attribute.labels.value UDM field. |
WhenCreated |
entity.group.attribute.labels[when_created] |
If the ObjectClass log field value is equal to group , then if the WhenCreated log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to when_created and the WhenCreated log field is mapped to the entity.group.attribute.labels.value UDM field. |
WWWPageOther |
entity.group.attribute.labels[www_page_other] |
If the ObjectClass log field value is equal to group , then if the WWWPageOther log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to www_page_other and the WWWPageOther log field is mapped to the entity.group.attribute.labels.value UDM field. |
X509Cert |
entity.group.attribute.labels[x509_cert] |
If the ObjectClass log field value is equal to group , then if the X509Cert log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to x509_cert and the X509Cert log field is mapped to the entity.group.attribute.labels.value UDM field. |
labeledURI |
entity.group.attribute.labels[labeled_uri] |
If the ObjectClass log field value is equal to group , then if the labeledURI log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to labeled_uri and the labeledURI log field is mapped to the entity.group.attribute.labels.value UDM field. |
msCOMPartitionSetLink |
entity.group.attribute.labels[ms_com_partition_set_link] |
If the ObjectClass log field value is equal to group , then if the msCOMPartitionSetLink log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_com_partition_set_link and the msCOMPartitionSetLink log field is mapped to the entity.group.attribute.labels.value UDM field. |
msCOMUserLink |
entity.group.attribute.labels[ms_com_user_link] |
If the ObjectClass log field value is equal to group , then if the msCOMUserLink log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_com_user_link and the msCOMUserLink log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSApproxImmedSubordinates |
entity.group.attribute.labels[ms_ds_approx_immed_subordinates] |
If the ObjectClass log field value is equal to group , then if the msDSApproxImmedSubordinates log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_approx_immed_subordinates and the msDSApproxImmedSubordinates log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSAzLDAPQuery |
entity.group.attribute.labels[ms_ds_az_ldap_query] |
If the ObjectClass log field value is equal to group , then if the msDSAzLDAPQuery log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_az_ldap_query and the msDSAzLDAPQuery log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSKeyVersionNumber |
entity.group.attribute.labels[ms_ds_key_version_number] |
If the ObjectClass log field value is equal to group , then if the msDSKeyVersionNumber log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_key_version_number and the msDSKeyVersionNumber log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSMasteredBy |
entity.group.attribute.labels[ms_ds_mastered_by] |
If the ObjectClass log field value is equal to group , then if the msDSMasteredBy log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_mastered_by and the msDSMasteredBy log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSMembersForAzRoleBL |
entity.group.attribute.labels[ms_ds_members_for_az_role_bl] |
If the ObjectClass log field value is equal to group , then if the msDSMembersForAzRoleBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_members_for_az_role_bl and the msDSMembersForAzRoleBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSNCReplCursors |
entity.group.attribute.labels[ms_ds_nc_repl_cursors] |
If the ObjectClass log field value is equal to group , then if the msDSNCReplCursors log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_nc_repl_cursors and the msDSNCReplCursors log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSNCReplInboundNeighbors |
entity.group.attribute.labels[ms_ds_nc_repl_inbound_neighbors] |
If the ObjectClass log field value is equal to group , then if the msDSNCReplInboundNeighbors log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_nc_repl_inbound_neighbors and the msDSNCReplInboundNeighbors log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSNCReplOutboundNeighbors |
entity.group.attribute.labels[ms_ds_nc_repl_outbound_neighbors] |
If the ObjectClass log field value is equal to group , then if the msDSNCReplOutboundNeighbors log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_nc_repl_outbound_neighbors and the msDSNCReplOutboundNeighbors log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSNonMembers |
entity.group.attribute.labels[ms_ds_non_members] |
If the ObjectClass log field value is equal to group , then if the msDSNonMembers log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_non_members and the msDSNonMembers log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSNonMembersBL |
entity.group.attribute.labels[ms_ds_non_members_bl] |
If the ObjectClass log field value is equal to group , then if the msDSNonMembersBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_non_members_bl and the msDSNonMembersBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSObjectReferenceBL |
entity.group.attribute.labels[ms_ds_object_reference_bl] |
If the ObjectClass log field value is equal to group , then if the msDSObjectReferenceBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_object_reference_bl and the msDSObjectReferenceBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSOperationsForAzRoleBL |
entity.group.attribute.labels[ms_ds_operations_for_az_role_bl] |
If the ObjectClass log field value is equal to group , then if the msDSOperationsForAzRoleBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_operations_for_az_role_bl and the msDSOperationsForAzRoleBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSOperationsForAzTaskBL |
entity.group.attribute.labels[ms_ds_operations_for_az_task_bl] |
If the ObjectClass log field value is equal to group , then if the msDSOperationsForAzTaskBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_operations_for_az_task_bl and the msDSOperationsForAzTaskBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSReplAttributeMetaData |
entity.group.attribute.labels[ms_ds_repl_attribute_meta_data] |
If the ObjectClass log field value is equal to group , then if the msDSReplAttributeMetaData log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_repl_attribute_meta_data and the msDSReplAttributeMetaData log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSReplValueMetaData |
entity.group.attribute.labels[ms_ds_repl_value_meta_data] |
If the ObjectClass log field value is equal to group , then if the msDSReplValueMetaData log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_repl_value_meta_data and the msDSReplValueMetaData log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSTasksForAzRoleBL |
entity.group.attribute.labels[ms_ds_tasks_for_az_role_bl] |
If the ObjectClass log field value is equal to group , then if the msDSTasksForAzRoleBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_tasks_for_az_role_bl and the msDSTasksForAzRoleBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSTasksForAzTaskBL |
entity.group.attribute.labels[ms_ds_tasks_for_az_task_bl] |
If the ObjectClass log field value is equal to group , then if the msDSTasksForAzTaskBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_tasks_for_az_task_bl and the msDSTasksForAzTaskBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msExchAssistantName |
entity.group.attribute.labels[ms_exch_assistant_name] |
If the ObjectClass log field value is equal to group , then if the msExchAssistantName log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_exch_assistant_name and the msExchAssistantName log field is mapped to the entity.group.attribute.labels.value UDM field. |
msExchLabeledURI |
entity.group.attribute.labels[ms_exch_labeled_uri] |
If the ObjectClass log field value is equal to group , then if the msExchLabeledURI log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_exch_labeled_uri and the msExchLabeledURI log field is mapped to the entity.group.attribute.labels.value UDM field. |
msExchOwnerBL |
entity.group.attribute.labels[ms_exch_owner_bl] |
If the ObjectClass log field value is equal to group , then if the msExchOwnerBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_exch_owner_bl and the msExchOwnerBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
secretary |
entity.group.attribute.labels[secretary] |
If the ObjectClass log field value is equal to group , then if the secretary log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to secretary and the secretary log field is mapped to the entity.group.attribute.labels.value UDM field. |
StructuralObjectClass |
entity.group.attribute.labels[structural_object_class] |
If the ObjectClass log field value is equal to group , then if the StructuralObjectClass log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to structural_object_class and the StructuralObjectClass log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSDisableForInstancesBL |
entity.group.attribute.labels[ms_ds_disable_for_instances_bl] |
If the ObjectClass log field value is equal to group , then if the msDSDisableForInstancesBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_disable_for_instances_bl and the msDSDisableForInstancesBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSServiceAccountBL |
entity.group.attribute.labels[ms_ds_service_account_bl] |
If the ObjectClass log field value is equal to group , then if the msDSServiceAccountBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_service_account_bl and the msDSServiceAccountBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
gidNumber |
entity.group.attribute.labels[gid_number] |
If the ObjectClass log field value is equal to group , then if the gidNumber log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to gid_number and the gidNumber log field is mapped to the entity.group.attribute.labels.value UDM field. |
memberUid |
entity.group.attribute.labels[member_uid] |
If the ObjectClass log field value is equal to group , then if the memberUid log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to member_uid and the memberUid log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDFSRComputerReferenceBL |
entity.group.attribute.labels[ms_dfsr_computer_reference_bl] |
If the ObjectClass log field value is equal to group , then if the msDFSRComputerReferenceBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_dfsr_computer_reference_bl and the msDFSRComputerReferenceBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDFSRMemberReferenceBL |
entity.group.attribute.labels[ms_dfsr_member_reference_bl] |
If the ObjectClass log field value is equal to group , then if the msDFSRMemberReferenceBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_dfsr_member_reference_bl and the msDFSRMemberReferenceBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msSFU30Name |
entity.group.attribute.labels[ms_sfu30_name] |
If the ObjectClass log field value is equal to group , then if the msSFU30Name log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_sfu30_name and the msSFU30Name log field is mapped to the entity.group.attribute.labels.value UDM field. |
msSFU30NisDomain |
entity.group.attribute.labels[ms_sfu30_nis_domain] |
If the ObjectClass log field value is equal to group , then if the msSFU30NisDomain log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_sfu30_nis_domain and the msSFU30NisDomain log field is mapped to the entity.group.attribute.labels.value UDM field. |
msSFU30PosixMember |
entity.group.attribute.labels[ms_sfu30_posix_member] |
If the ObjectClass log field value is equal to group , then if the msSFU30PosixMember log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_sfu30_posix_member and the msSFU30PosixMember log field is mapped to the entity.group.attribute.labels.value UDM field. |
msSFU30PosixMemberOf |
entity.group.attribute.labels[ms_sfu30_posix_member_of] |
If the ObjectClass log field value is equal to group , then if the msSFU30PosixMemberOf log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_sfu30_posix_member_of and the msSFU30PosixMemberOf log field is mapped to the entity.group.attribute.labels.value UDM field. |
unixUserPassword |
entity.group.attribute.labels[unix_user_password] |
If the ObjectClass log field value is equal to group , then if the unixUserPassword log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to unix_user_password and the unixUserPassword log field is mapped to the entity.group.attribute.labels.value UDM field. |
UserPassword |
entity.group.attribute.labels[user_password] |
If the ObjectClass log field value is equal to group , then if the UserPassword log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to user_password and the UserPassword log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSAuthenticatedToAccountlist |
entity.group.attribute.labels[ms_ds_authenticated_to_accountlist] |
If the ObjectClass log field value is equal to group , then if the msDSAuthenticatedToAccountlist log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_authenticated_to_accountlist and the msDSAuthenticatedToAccountlist log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSAzApplicationData |
entity.group.attribute.labels[ms_ds_az_application_data] |
If the ObjectClass log field value is equal to group , then if the msDSAzApplicationData log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_az_application_data and the msDSAzApplicationData log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSAzBizRule |
entity.group.attribute.labels[ms_ds_az_biz_rule] |
If the ObjectClass log field value is equal to group , then if the msDSAzBizRule log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_az_biz_rule and the msDSAzBizRule log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSAzBizRuleLanguage |
entity.group.attribute.labels[ms_ds_az_biz_rule_language] |
If the ObjectClass log field value is equal to group , then if the msDSAzBizRuleLanguage log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_az_biz_rule_language and the msDSAzBizRuleLanguage log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSAzGenericData |
entity.group.attribute.labels[ms_ds_az_generic_data] |
If the ObjectClass log field value is equal to group , then if the msDSAzGenericData log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_az_generic_data and the msDSAzGenericData log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSAzLastImportedBizRulePath |
entity.group.attribute.labels[ms_ds_az_last_imported_biz_rule_path] |
If the ObjectClass log field value is equal to group , then if the msDSAzLastImportedBizRulePath log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_az_last_imported_biz_rule_path and the msDSAzLastImportedBizRulePath log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSAzObjectGuid |
entity.group.attribute.labels[ms_ds_az_object_guid] |
If the ObjectClass log field value is equal to group , then if the msDSAzObjectGuid log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_az_object_guid and the msDSAzObjectGuid log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSIsDomainFor |
entity.group.attribute.labels[ms_ds_is_domain_for] |
If the ObjectClass log field value is equal to group , then if the msDSIsDomainFor log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_is_domain_for and the msDSIsDomainFor log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSIsFullReplicaFor |
entity.group.attribute.labels[ms_ds_is_full_replica_for] |
If the ObjectClass log field value is equal to group , then if the msDSIsFullReplicaFor log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_is_full_replica_for and the msDSIsFullReplicaFor log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSIsPartialReplicaFor |
entity.group.attribute.labels[ms_ds_is_partial_replica_for] |
If the ObjectClass log field value is equal to group , then if the msDSIsPartialReplicaFor log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_is_partial_replica_for and the msDSIsPartialReplicaFor log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSKrbTgtLinkBL |
entity.group.attribute.labels[ms_ds_krb_tgt_link_bl] |
If the ObjectClass log field value is equal to group , then if the msDSKrbTgtLinkBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_krb_tgt_link_bl and the msDSKrbTgtLinkBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSNCROReplicaLocationsBL |
entity.group.attribute.labels[ms_ds_ncro_replica_locations_bl] |
If the ObjectClass log field value is equal to group , then if the msDSNCROReplicaLocationsBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_ncro_replica_locations_bl and the msDSNCROReplicaLocationsBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSNCType |
entity.group.attribute.labels[ms_ds_nc_type] |
If the ObjectClass log field value is equal to group , then if the msDSNCType log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_nc_type and the msDSNCType log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSPhoneticDisplayName |
entity.group.attribute.labels[ms_ds_phonetic_display_name] |
If the ObjectClass log field value is equal to group , then if the msDSPhoneticDisplayName log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_phonetic_display_name and the msDSPhoneticDisplayName log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSPrincipalName |
entity.group.attribute.labels[ms_ds_principal_name] |
If the ObjectClass log field value is equal to group , then if the msDSPrincipalName log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_principal_name and the msDSPrincipalName log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSPSOApplied |
entity.group.attribute.labels[ms_ds_pso_applied] |
If the ObjectClass log field value is equal to group , then if the msDSPSOApplied log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_pso_applied and the msDSPSOApplied log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSRevealedDSAs |
entity.group.attribute.labels[ms_ds_revealed_dsas] |
If the ObjectClass log field value is equal to group , then if the msDSRevealedDSAs log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_revealed_dsas and the msDSRevealedDSAs log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSRevealedListBL |
entity.group.attribute.labels[ms_ds_revealed_list_bl] |
If the ObjectClass log field value is equal to group , then if the msDSRevealedListBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_revealed_list_bl and the msDSRevealedListBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
IsRecycled |
entity.group.attribute.labels[is_recycled] |
If the ObjectClass log field value is equal to group , then if the IsRecycled log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to is_recycled and the IsRecycled log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSEnabledFeatureBL |
entity.group.attribute.labels[ms_ds_enabled_feature_bl] |
If the ObjectClass log field value is equal to group , then if the msDSEnabledFeatureBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_enabled_feature_bl and the msDSEnabledFeatureBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSHostServiceAccountBL |
entity.group.attribute.labels[ms_ds_host_service_account_bl] |
If the ObjectClass log field value is equal to group , then if the msDSHostServiceAccountBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_host_service_account_bl and the msDSHostServiceAccountBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSLastKnownRDN |
entity.group.attribute.labels[ms_ds_last_known_rdn] |
If the ObjectClass log field value is equal to group , then if the msDSLastKnownRDN log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_last_known_rdn and the msDSLastKnownRDN log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSlocalEffectiveDeletionTime |
entity.group.attribute.labels[ms_ds_local_effective_deletion_time] |
If the ObjectClass log field value is equal to group , then if the msDSlocalEffectiveDeletionTime log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_local_effective_deletion_time and the msDSlocalEffectiveDeletionTime log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSlocalEffectiveRecycleTime |
entity.group.attribute.labels[ms_ds_local_effective_recycle_time] |
If the ObjectClass log field value is equal to group , then if the msDSlocalEffectiveRecycleTime log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_local_effective_recycle_time and the msDSlocalEffectiveRecycleTime log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSOIDToGroupLinkBL |
entity.group.attribute.labels[ms_ds_oid_to_group_link_bl] |
If the ObjectClass log field value is equal to group , then if the msDSOIDToGroupLinkBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_oid_to_group_link_bl and the msDSOIDToGroupLinkBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSClaimSharesPossibleValuesWithBL |
entity.group.attribute.labels[ms_ds_claim_shares_possible_values_with_bl] |
If the ObjectClass log field value is equal to group , then if the msDSClaimSharesPossibleValuesWithBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_claim_shares_possible_values_with_bl and the msDSClaimSharesPossibleValuesWithBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSGeoCoordinatesAltitude |
entity.group.attribute.labels[ms_ds_geo_coordinates_altitude] |
If the ObjectClass log field value is equal to group , then if the msDSGeoCoordinatesAltitude log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_geo_coordinates_altitude and the msDSGeoCoordinatesAltitude log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSGeoCoordinatesLatitude |
entity.group.attribute.labels[ms_ds_geo_coordinates_latitude] |
If the ObjectClass log field value is equal to group , then if the msDSGeoCoordinatesLatitude log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_geo_coordinates_latitude and the msDSGeoCoordinatesLatitude log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSGeoCoordinatesLongitude |
entity.group.attribute.labels[ms_ds_geo_coordinates_longitude] |
If the ObjectClass log field value is equal to group , then if the msDSGeoCoordinatesLongitude log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_geo_coordinates_longitude and the msDSGeoCoordinatesLongitude log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSIsPrimaryComputerFor |
entity.group.attribute.labels[ms_ds_is_primary_computer_for] |
If the ObjectClass log field value is equal to group , then if the msDSIsPrimaryComputerFor log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_is_primary_computer_for and the msDSIsPrimaryComputerFor log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSMembersOfResourcePropertyListBL |
entity.group.attribute.labels[ms_ds_members_of_resource_property_list_bl] |
If the ObjectClass log field value is equal to group , then if the msDSMembersOfResourcePropertyListBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_members_of_resource_property_list_bl and the msDSMembersOfResourcePropertyListBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSPrimaryComputer |
entity.group.attribute.labels[ms_ds_primary_computer] |
If the ObjectClass log field value is equal to group , then if the msDSPrimaryComputer log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_primary_computer and the msDSPrimaryComputer log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSTDOEgressBL |
entity.group.attribute.labels[ms_ds_tdo_egress_bl] |
If the ObjectClass log field value is equal to group , then if the msDSTDOEgressBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_tdo_egress_bl and the msDSTDOEgressBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSTDOIngressBL |
entity.group.attribute.labels[ms_ds_tdo_ingress_bl] |
If the ObjectClass log field value is equal to group , then if the msDSTDOIngressBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_tdo_ingress_bl and the msDSTDOIngressBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
msDSValueTypeReferenceBL |
entity.group.attribute.labels[ms_ds_value_type_reference_bl] |
If the ObjectClass log field value is equal to group , then if the msDSValueTypeReferenceBL log field value is not empty, then the entity.group.attribute.labels.key UDM field is set to ms_ds_value_type_reference_bl and the msDSValueTypeReferenceBL log field is mapped to the entity.group.attribute.labels.value UDM field. |
AdminDisplayName |
entity.user.user_display_name |
If the ObjectClass log field value is equal to group , then if the ObjectClass log field value is equal to user or is empty, then if the AdminDisplayName log field value is not empty, then the AdminDisplayName log field is mapped to the entity.user.user_display_name UDM field. |
CanonicalName |
entity.administrative_domain |
If the ObjectClass log field value is equal to group , then if the CanonicalName log field value is not empty, then the CanonicalName log field is mapped to the entity.administrative_domain UDM field. |
CreateTimeStamp |
entity.group.creation_time |
If the ObjectClass log field value is equal to group , then if the CreateTimeStamp log field value is not empty, then the CreateTimeStamp log field is mapped to the entity.group.creation_time UDM field. |
Description |
metadata.description |
If the ObjectClass log field value is equal to group , then if the Description log field value is not empty, then the Description log field is mapped to the metadata.description UDM field. |
DesktopProfile |
entity.location.name |
If the ObjectClass log field value is equal to group , then if the DesktopProfile log field value is not empty, then the DesktopProfile log field is mapped to the entity.location.name UDM field. |
DisplayName |
entity.group.group_display_name |
If the ObjectClass log field value is equal to group , then if the DisplayName log field value is not empty, then the DisplayName log field is mapped to the entity.group.group_display_name UDM field. |
EmailAddresses |
entity.group.email_addresses |
If the ObjectClass log field value is equal to group , then if the EmailAddresses log field value is not empty, then the EmailAddresses log field is mapped to the entity.group.email_addresses UDM field. |
ManagedBy |
entity.relations.entity.user.user_display_name |
If the ObjectClass log field value is equal to group , then if the ManagedBy log field value is not empty, then the ManagedBy log field is mapped to the entity.relations.entity.user.user_display_name UDM field. |
Member |
entity.relations.entity.group.group_display_name |
If the ObjectClass log field value is equal to group , then if the Member log field value is not empty, then the Member log field is mapped to the entity.relations.entity.group.group_display_name UDM field. |
ObjectGuid |
entity.group.product_object_id |
If the ObjectClass log field value is equal to group , then if the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.group.product_object_id UDM field. |
ObjectSid |
entity.group.windows_sid |
If the ObjectClass log field value is equal to group , then if the ObjectSid log field value is not empty, then the ObjectSid log field is mapped to the entity.group.windows_sid UDM field. |
WWWHomePage |
entity.url |
If the ObjectClass log field value is equal to group , then if the WWWHomePage log field value is not empty, then the WWWHomePage log field is mapped to the entity.url UDM field. |
도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가로부터 답변을 받으세요.