Google Cloud Documentation

account_policy_data

The following table lists the log fields and corresponding UDM mappings for the schema account_policy_data and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
uid	principal.user.userid
creation_time	principal.user.attribute.creation_time
failed_login_count	principal.user.attribute.labels.key/value
failed_login_timestamp	principal.user.attribute.labels.key/value
password_last_set_time	principal.user.attribute.labels.key/value

ad_config

The following table lists the log fields and corresponding UDM mappings for the schema ad_config and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	about.labels.key/value (deprecated) additional.fields
domain	target.administrative_domain
option	about.labels.key (deprecated) additional.fields.key
value	about.labels.value (deprecated) additional.fields.value.string_value

alf

The following table lists the log fields and corresponding UDM mappings for the schema alf and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
allow_signed_enabled	about.labels.key/value (deprecated) additional.fields
firewall_unload	about.labels.key/value (deprecated) additional.fields
global_state	about.labels.key/value (deprecated) additional.fields
logging_enabled	about.labels.key/value (deprecated) additional.fields
logging_option	about.labels.key/value (deprecated) additional.fields
stealth_enabled	about.labels.key/value (deprecated) additional.fields
version	target.platform_version

alf_exceptions

The following table lists the log fields and corresponding UDM mappings for the schema alf_exceptions and OS macOS:

Log field

UDM mapping

metadata.event_type is mapped to SETTING_MODIFICATION

path

target.file.full_path

state

about.labels.key/value (deprecated)

additional.fields

alf_explicit_auths

The following table lists the log fields and corresponding UDM mappings for the schema alf_explicit_auths and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
process	target.process.pid

app_schemes

The following table lists the log fields and corresponding UDM mappings for the schema app_schemes and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
scheme	about.labels.key/value (deprecated) additional.fields
handler	about.labels.key/value (deprecated) additional.fields
enabled	about.labels.key/value (deprecated) additional.fields
external	about.labels.key/value (deprecated) additional.fields
protected	about.labels.key/value (deprecated) additional.fields

apparmor_events

The following table lists the log fields and corresponding UDM mappings for the schema apparmor_events and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
type	about.labels.key/value (deprecated) additional.fields
message	metadata.description
time	about.labels.key/value (deprecated) additional.fields
uptime	about.labels.key/value (deprecated) additional.fields
eid	security_result.rule_id
apparmor	security_result.action
operation	about.labels.key/value (deprecated) additional.fields
parent	target.process.parent_process.pid
profile	about.labels.key/value (deprecated) additional.fields
name	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
comm	target.process.command_line
denied_mask	about.labels.key/value (deprecated) additional.fields
capname	about.labels.key/value (deprecated) additional.fields
fsuid	target.user.attribute.labels.key/value
ouid	target.user.attribute.labels.key/value
capability	about.labels.key/value (deprecated) additional.fields
requested_mask	target.process.access_mask
info	about.labels.key/value (deprecated) additional.fields
error	security_result.summary
namespace	about.labels.key/value (deprecated) additional.fields
label	about.labels.key/value (deprecated) additional.fields

apparmor_profiles

The following table lists the log fields and corresponding UDM mappings for the schema apparmor_profiles and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
name	target.resource.name
attach	about.labels.key/value (deprecated) additional.fields
mode	about.labels.key/value (deprecated) additional.fields
sha1	target.file.sha1

apps

The following table lists the log fields and corresponding UDM mappings for the schema apps and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	target.application
path	target.file.full_path
bundle_executable	about.labels.key/value (deprecated) additional.fields
bundle_identifier	target.resource.product_object_id
bundle_name	target.resource.name
bundle_short_version	target.resource.attribute.labels.key/value
bundle_version	target.resource.attribute.labels.key/value
bundle_package_type	about.labels.key/value (deprecated) additional.fields
environment	about.labels.key/value (deprecated) additional.fields
element	about.labels.key/value (deprecated) additional.fields
compiler	about.labels.key/value (deprecated) additional.fields
development_region	about.location.country_or_region
display_name	about.labels.key/value (deprecated) additional.fields
info_string	about.labels.key/value (deprecated) additional.fields
minimum_system_version	about.labels.key/value (deprecated) additional.fields
category	about.labels.key/value (deprecated) additional.fields
applescript_enabled	about.labels.key/value (deprecated) additional.fields
copyright	about.labels.key/value (deprecated) additional.fields
last_opened_time	target.file.last_seen_time

asl

The following table lists the log fields and corresponding UDM mappings for the schema asl and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
time	about.labels.key/value (deprecated) additional.fields
time_nano_sec	about.labels.key/value (deprecated) additional.fields
host	target.hostname
sender	about.labels.key/value (deprecated) additional.fields
facility	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
gid	target.user.group_identifiers
uid	target.user.userid
level	about.labels.key/value (deprecated) additional.fields
message	metadata.description
ref_pid	about.labels.key/value (deprecated) additional.fields
ref_proc	about.labels.key/value (deprecated) additional.fields
extra	about.labels.key/value (deprecated) additional.fields

authenticode

The following table lists the log fields and corresponding UDM mappings for the schema authenticode and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
original_program_name	about.labels.key/value (deprecated) additional.fields
serial_number	network.tls.client.certificate.serial
issuer_name	network.tls.client.certificate.issuer
subject_name	network.tls.client.certificate.subject
result	security_result.summary

authorization_mechanisms

The following table lists the log fields and corresponding UDM mappings for the schema authorization_mechanisms and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
label	about.labels.key/value (deprecated) additional.fields
plugin	about.labels.key/value (deprecated) additional.fields
mechanism	about.labels.key/value (deprecated) additional.fields
privileged	about.labels.key/value (deprecated) additional.fields
entry	about.labels.key/value (deprecated) additional.fields

authorizations

The following table lists the log fields and corresponding UDM mappings for the schema authorizations and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
label	about.labels.key/value (deprecated) additional.fields
modified	about.labels.key/value (deprecated) additional.fields
allow_root	about.labels.key/value (deprecated) additional.fields
timeout	about.labels.key/value (deprecated) additional.fields
version	about.labels.key/value (deprecated) additional.fields
tries	about.labels.key/value (deprecated) additional.fields
authenticate_user	about.labels.key/value (deprecated) additional.fields
shared	about.labels.key/value (deprecated) additional.fields
comment	about.labels.key/value (deprecated) additional.fields
created	about.labels.key/value (deprecated) additional.fields
class	about.labels.key/value (deprecated) additional.fields
session_owner	about.labels.key/value (deprecated) additional.fields

autoexec

The following table lists the log fields and corresponding UDM mappings for the schema autoexec and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
name	target.application
source	target.resource.name

bitlocker_info

The following table lists the log fields and corresponding UDM mappings for the schema bitlocker_info and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
device_id	target.resource.product_object_id
drive_letter	target.resource.name
persistent_volume_id	about.labels.key/value (deprecated) additional.fields
conversion_status	target.resource.attirbute.labels.key/value
protection_status	target.resource.attirbute.labels.key/value
encryption_method	target.resource.attirbute.labels.key/value
version	metadata.product_version
percentage_encrypted	target.resource.attirbute.labels.key/value
lock_status	target.resource.attirbute.labels.key/value

bpf_process_events

The following table lists the log fields and corresponding UDM mappings for the schema bpf_process_events and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
tid	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
parent	target.process.parent_process.pid
uid	principal.user.userid
gid	principal.group.product_object_id
cid	about.labels.key/value (deprecated) additional.fields
exit_code	about.labels.key/value (deprecated) additional.fields
probe_error	about.labels.key/value (deprecated) additional.fields
syscall	about.labels.key/value (deprecated) additional.fields
path	target.process.file.full_path
cwd	about.labels.key/value (deprecated) additional.fields
cmdline	target.process.command_line
duration	about.labels.key/value (deprecated) additional.fields
json_cmdline	about.labels.key/value (deprecated) additional.fields
ntime	about.labels.key/value (deprecated) additional.fields
time	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id

bpf_socket_events

The following table lists the log fields and corresponding UDM mappings for the schema bpf_socket_events and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
tid	about.labels.key/value (deprecated) additional.fields
pid	principal.process.pid
parent	principal.process.parent_process.pid
uid	principal.user.userid
gid	principal.group.product_object_id
cid	about.labels.key/value (deprecated) additional.fields
exit_code	about.labels.key/value (deprecated) additional.fields
probe_error	about.labels.key/value (deprecated) additional.fields
syscall	about.labels.key/value (deprecated) additional.fields
path	target.file.full_path
fd	about.labels.key/value (deprecated) additional.fields
family	about.labels.key/value (deprecated) additional.fields
type	about.labels.key/value (deprecated) additional.fields
protocol	about.labels.key/value (deprecated) additional.fields
local_address	principal.ip
remote_address	target.ip
local_port	principal.port
remote_port	target.port
duration	about.labels.key/value (deprecated) additional.fields
ntime	about.labels.key/value (deprecated) additional.fields
time	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id

certificates

The following table lists the log fields and corresponding UDM mappings for the schema certificates and OS macOS, Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
common_name	about.labels.key/value (deprecated) additional.fields
subject	network.tls.client.certificate.subject
issuer	network.tls.client.certificate.issuer
ca	about.labels.key/value (deprecated) additional.fields
self_signed	about.labels.key/value (deprecated) additional.fields
not_valid_before	network.tls.client.certificate.not_before
not_valid_after	network.tls.client.certificate.not_after
signing_algorithm	about.labels.key/value (deprecated) additional.fields
key_algorithm	about.labels.key/value (deprecated) additional.fields
key_strength	about.labels.key/value (deprecated) additional.fields
key_usage	about.labels.key/value (deprecated) additional.fields
subject_key_id	about.labels.key/value (deprecated) additional.fields
authority_key_id	about.labels.key/value (deprecated) additional.fields
sha1	network.tls.client.certificate.sha1
path	about.labels.key/value (deprecated) additional.fields
serial	network.tls.client.certificate.serial
sid	about.labels.key/value (deprecated) additional.fields
store_location	about.labels.key/value (deprecated) additional.fields
store	about.labels.key/value (deprecated) additional.fields
username	principal.user.user_display_name
store_id	about.labels.key/value (deprecated) additional.fields

chassis_info

The following table lists the log fields and corresponding UDM mappings for the schema chassis_info and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
audible_alarm	about.labels.key/value (deprecated) additional.fields
breach_description	security_result.description
chassis_types	about.labels.key/value (deprecated) additional.fields
description	metadata.description
lock	about.labels.key/value (deprecated) additional.fields
manufacturer	principal.asset.hardware.manufacturer
model	principal.asset.hardware.model
security_breach	security_result.detection_fields.key/value
serial	principal.asset.hardware.serial_number
smbios_tag	about.labels.key/value (deprecated) additional.fields
sku	about.labels.key/value (deprecated) additional.fields
status	about.labels.key/value (deprecated) additional.fields
visible_alarm	about.labels.key/value (deprecated) additional.fields

chrome_extensions

The following table lists the log fields and corresponding UDM mappings for the schema chrome_extensions and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
browser_type	target.resource.attribute.labels.key/value
uid	principal.user.userid
name	target.resource.name
profile	target.resource.attribute.labels.key/value
profile_path	target.resource.attribute.labels.key/value
referenced_identifier	target.resource.attribute.labels.key/value
identifier	target.resource.attribute.labels.key/value
version	target.resource.attribute.labels.key/value
description	target.resource.attribute.labels.key/value
default_locale	target.resource.attribute.labels.key/value
current_locale	target.resource.attribute.labels.key/value
update_url	network.http.referral_url
author	target.resource.attribute.labels.key/value
persistent	target.resource.attribute.labels.key/value
path	target.file.full_path
permissions	target.resource.attribute.labels.key/value
permissions_json	target.resource.attribute.labels.key/value
optional_permissions	target.resource.attribute.labels.key/value
optional_permissions_json	target.resource.attribute.labels.key/value
manifest_hash	target.resource.attribute.labels.key/value
referenced	target.resource.attribute.labels.key/value
from_webstore	target.resource.attribute.labels.key/value
state	target.resource.attribute.labels.key/value
install_time	target.resource.attribute.labels.key/value
install_timestamp	target.resource.attribute.labels.key/value
manifest_json	target.resource.attribute.labels.key/value
key	target.resource.attribute.labels.key/value

connectivity

The following table lists the log fields and corresponding UDM mappings for the schema connectivity and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
disconnected	about.labels.key/value (deprecated) additional.fields
ipv4_no_traffic	about.labels.key/value (deprecated) additional.fields
ipv6_no_traffic	about.labels.key/value (deprecated) additional.fields
ipv4_subnet	about.labels.key/value (deprecated) additional.fields
ipv4_local_network	about.labels.key/value (deprecated) additional.fields
ipv4_internet	about.labels.key/value (deprecated) additional.fields
ipv6_subnet	about.labels.key/value (deprecated) additional.fields
ipv6_local_network	about.labels.key/value (deprecated) additional.fields
ipv6_internet	about.labels.key/value (deprecated) additional.fields

cpu_info

The following table lists the log fields and corresponding UDM mappings for the schema cpu_info and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
device_id	principal.asset.product_object_id
model	principal.asset.hardware.model
manufacturer	principal.asset.hardware.manufacturer
processor_type	about.labels.key/value (deprecated) additional.fields
availability	about.labels.key/value (deprecated) additional.fields
cpu_status	about.labels.key/value (deprecated) additional.fields
number_of_cores	principal.asset.hardware.cpu_number_cores
logical_processors	about.labels.key/value (deprecated) additional.fields
address_width	about.labels.key/value (deprecated) additional.fields
current_clock_speed	principal.asset.hardware.cpu_clock_speed
max_clock_speed	principal.asset.hardware.cpu_max_clock_speed
socket_designation	about.labels.key/value (deprecated) additional.fields

crashes

The following table lists the log fields and corresponding UDM mappings for the schema crashes and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
type	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
path	target.process.file.full_path
crash_path	target.file.full_path
identifier	about.labels.key/value (deprecated) additional.fields
version	about.labels.key/value (deprecated) additional.fields
parent	target.process.parent_process.pid
responsible	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
datetime	metadata.event_timestamp
crashed_thread	about.labels.key/value (deprecated) additional.fields
stack_trace	about.labels.key/value (deprecated) additional.fields
exception_type	about.labels.key/value (deprecated) additional.fields
exception_codes	about.labels.key/value (deprecated) additional.fields
exception_notes	about.labels.key/value (deprecated) additional.fields
registers	about.labels.key/value (deprecated) additional.fields

crontab

The following table lists the log fields and corresponding UDM mappings for the schema crontab and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
event	about.labels.key/value (deprecated) additional.fields
minute	about.labels.key/value (deprecated) additional.fields
hour	about.labels.key/value (deprecated) additional.fields
day_of_month	about.labels.key/value (deprecated) additional.fields
month	about.labels.key/value (deprecated) additional.fields
day_of_week	about.labels.key/value (deprecated) additional.fields
command	principal.process.command_line
path	principal.process.file.full_path
pid_with_namespace	about.labels.key/value (deprecated) additional.fields

curl

The following table lists the log fields and corresponding UDM mappings for the schema curl and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
url	network.http.referral_url
method	network.http.method
user_agent	network.http.user_agent
response_code	network.http.response_code
round_trip_time	network.session_duration
bytes	network.received_bytes
result	about.labels.key/value (deprecated) additional.fields

curl_certificate

The following table lists the log fields and corresponding UDM mappings for the schema curl_certificate and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
hostname	principal.hostname
common_name	about.labels.key/value (deprecated) additional.fields
organization	network.organization_name
organization_unit	about.labels.key/value (deprecated) additional.fields
serial_number	network.tls.server.certificate.serial
issuer_common_name	about.labels.key/value (deprecated) additional.fields
issuer_organization	network.tls.server.certificate.issuer
issuer_organization_unit	about.labels.key/value (deprecated) additional.fields
valid_from	network.tls.server.certificate.not_before
valid_to	network.tls.server.certificate.not_after
sha256_fingerprint	network.tls.server.certificate.sha256
sha1_fingerprint	network.tls.server.certificate.sha1
version	network.tls.server.certificate.version
signature_algorithm	about.labels.key/value (deprecated) additional.fields
signature	about.labels.key/value (deprecated) additional.fields
subject_key_identifier	about.labels.key/value (deprecated) additional.fields
authority_key_identifier	about.labels.key/value (deprecated) additional.fields
key_usage	about.labels.key/value (deprecated) additional.fields
extended_key_usage	about.labels.key/value (deprecated) additional.fields
policies	about.labels.key/value (deprecated) additional.fields
subject_alternative_names	about.labels.key/value (deprecated) additional.fields
issuer_alternative_names	about.labels.key/value (deprecated) additional.fields
info_access	about.labels.key/value (deprecated) additional.fields
subject_info_access	about.labels.key/value (deprecated) additional.fields
policy_mappings	about.labels.key/value (deprecated) additional.fields
has_expired	about.labels.key/value (deprecated) additional.fields
basic_constraint	about.labels.key/value (deprecated) additional.fields
name_constraints	about.labels.key/value (deprecated) additional.fields
policy_constraints	about.labels.key/value (deprecated) additional.fields
dump_certificate	about.labels.key/value (deprecated) additional.fields
timeout	about.labels.key/value (deprecated) additional.fields
pem	about.labels.key/value (deprecated) additional.fields

device_file

The following table lists the log fields and corresponding UDM mappings for the schema device_file and OS Linux, macOS, freebsd, Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
device	about.labels.key/value (deprecated) additional.fields
partition	about.labels.key/value (deprecated) additional.fields
path	target.file.full_path
filename	target.file.names
inode	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
gid	target.group.product_object_id
mode	about.labels.key/value (deprecated) additional.fields
size	target.file.size
block_size	about.labels.key/value (deprecated) additional.fields
atime	about.labels.key/value (deprecated) additional.fields
mtime	target.file.last_modification_time
ctime	about.labels.key/value (deprecated) additional.fields
hard_links	about.labels.key/value (deprecated) additional.fields
type	about.labels.key/value (deprecated) additional.fields

device_hash

The following table lists the log fields and corresponding UDM mappings for the schema device_hash and OS Linux, macOS, freebsd, Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
device	target.file.full_path
partition	about.labels.key/value (deprecated) additional.fields
inode	about.labels.key/value (deprecated) additional.fields
md5	target.file.md5
sha1	target.file.sha1
sha256	target.file.sha56

disk_info

The following table lists the log fields and corresponding UDM mappings for the schema disk_info and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
partitions	principal.asset.attribute.labels.key/value
disk_index	principal.asset.attribute.labels.key/value
type	principal.asset.attribute.labels.key/value
id	principal.asset.product_object_id
pnp_device_id	about.labels.key/value (deprecated) additional.fields
disk_size	principal.asset.attribute.labels.key/value
manufacturer	principal.asset.hardware.manufacturer
hardware_model	principal.asset.hardware.model
name	principal.asset.attribute.labels.key/value
serial	principal.asset.hardware.serial_number
description	principal.asset.attribute.labels.key/value

dns_cache

The following table lists the log fields and corresponding UDM mappings for the schema dns_cache and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	network.dns.additional.name
type	about.labels.key/value (deprecated) additional.fields
flags	about.labels.key/value (deprecated) additional.fields

dns_resolvers

The following table lists the log fields and corresponding UDM mappings for the schema dns_resolvers and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
id	about.labels.key/value (deprecated) additional.fields
type	about.labels.key/value (deprecated) additional.fields
address	principal.ip
netmask	about.labels.key/value (deprecated) additional.fields
options	about.labels.key/value (deprecated) additional.fields
pid_with_namespace	about.labels.key/value (deprecated) additional.fields

docker_container_networks

The following table lists the log fields and corresponding UDM mappings for the schema docker_container_networks and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
id	target.asset.product_object_id
name	network.carrier_name
network_id	about.labels.key/value (deprecated) additional.fields
endpoint_id	about.labels.key/value (deprecated) additional.fields
gateway	about.labels.key/value (deprecated) additional.fields
ip_address	target.ip
ip_prefix_len	about.labels.key/value (deprecated) additional.fields
ipv6_gateway	about.labels.key/value (deprecated) additional.fields
ipv6_address	target.ip
ipv6_prefix_len	about.labels.key/value (deprecated) additional.fields
mac_address	target.mac

docker_container_ports

The following table lists the log fields and corresponding UDM mappings for the schema docker_container_ports and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
id	target.asset.product_object_id
type	network.ip_protocol
port	target.port
host_ip	principal.ip
host_port	principal.port

docker_container_processes

The following table lists the log fields and corresponding UDM mappings for the schema docker_container_processes and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
id	target.asset.product_object_id
pid	target.process.pid
name	target.process.file.full_path
cmdline	target.process.command_line
state	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
gid	target.group.product_object_id
euid	target.user.attribute.labels.key/value
egid	target.group.attribute.labels.key/value
suid	target.user.attribute.labels.key/value
sgid	target.group.attribute.labels.key/value
wired_size	about.labels.key/value (deprecated) additional.fields
resident_size	about.labels.key/value (deprecated) additional.fields
total_size	about.labels.key/value (deprecated) additional.fields
start_time	about.labels.key/value (deprecated) additional.fields
parent	target.process.parent_process.pid
pgroup	about.labels.key/value (deprecated) additional.fields
threads	about.labels.key/value (deprecated) additional.fields
nice	about.labels.key/value (deprecated) additional.fields
user	target.user.user_display_name
time	about.labels.key/value (deprecated) additional.fields
cpu	about.labels.key/value (deprecated) additional.fields
mem	about.labels.key/value (deprecated) additional.fields

docker_container_stats

The following table lists the log fields and corresponding UDM mappings for the schema docker_container_stats and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
id	target.resource.product_object_id
name	target.resource.name
pids	about.labels.key/value (deprecated) additional.fields
read	about.labels.key/value (deprecated) additional.fields
preread	about.labels.key/value (deprecated) additional.fields
interval	about.labels.key/value (deprecated) additional.fields
disk_read	about.labels.key/value (deprecated) additional.fields
disk_write	about.labels.key/value (deprecated) additional.fields
num_procs	about.labels.key/value (deprecated) additional.fields
cpu_total_usage	about.labels.key/value (deprecated) additional.fields
cpu_kernelmode_usage	about.labels.key/value (deprecated) additional.fields
cpu_usermode_usage	about.labels.key/value (deprecated) additional.fields
system_cpu_usage	about.labels.key/value (deprecated) additional.fields
online_cpus	about.labels.key/value (deprecated) additional.fields
pre_cpu_total_usage	about.labels.key/value (deprecated) additional.fields
pre_cpu_kernelmode_usage	about.labels.key/value (deprecated) additional.fields
pre_cpu_usermode_usage	about.labels.key/value (deprecated) additional.fields
pre_system_cpu_usage	about.labels.key/value (deprecated) additional.fields
pre_online_cpus	about.labels.key/value (deprecated) additional.fields
memory_usage	about.labels.key/value (deprecated) additional.fields
memory_max_usage	about.labels.key/value (deprecated) additional.fields
memory_limit	about.labels.key/value (deprecated) additional.fields
network_rx_bytes	about.labels.key/value (deprecated) additional.fields
network_tx_bytes	about.labels.key/value (deprecated) additional.fields

docker_info

The following table lists the log fields and corresponding UDM mappings for the schema docker_info and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
id	target.resource.product_object_id
containers	about.labels.key/value (deprecated) additional.fields
containers_running	about.labels.key/value (deprecated) additional.fields
containers_paused	about.labels.key/value (deprecated) additional.fields
containers_stopped	about.labels.key/value (deprecated) additional.fields
images	about.labels.key/value (deprecated) additional.fields
storage_driver	about.labels.key/value (deprecated) additional.fields
memory_limit	about.labels.key/value (deprecated) additional.fields
swap_limit	about.labels.key/value (deprecated) additional.fields
kernel_memory	about.labels.key/value (deprecated) additional.fields
cpu_cfs_period	about.labels.key/value (deprecated) additional.fields
cpu_cfs_quota	about.labels.key/value (deprecated) additional.fields
cpu_shares	about.labels.key/value (deprecated) additional.fields
cpu_set	about.labels.key/value (deprecated) additional.fields
ipv4_forwarding	about.labels.key/value (deprecated) additional.fields
bridge_nf_iptables	about.labels.key/value (deprecated) additional.fields
bridge_nf_ip6tables	about.labels.key/value (deprecated) additional.fields
oom_kill_disable	about.labels.key/value (deprecated) additional.fields
logging_driver	about.labels.key/value (deprecated) additional.fields
cgroup_driver	about.labels.key/value (deprecated) additional.fields
kernel_version	about.labels.key/value (deprecated) additional.fields
os	about.labels.key/value (deprecated) additional.fields
os_type	target.platform(enum)
architecture	about.labels.key/value (deprecated) additional.fields
cpus	about.labels.key/value (deprecated) additional.fields
memory	about.labels.key/value (deprecated) additional.fields
http_proxy	about.labels.key/value (deprecated) additional.fields
https_proxy	about.labels.key/value (deprecated) additional.fields
no_proxy	about.labels.key/value (deprecated) additional.fields
name	target.hostname
server_version	target.platform_version
root_dir	target.file.full_path

docker_network_labels

The following table lists the log fields and corresponding UDM mappings for the schema docker_network_labels and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
id	target.resource.product_object_id
key	target.resource.attribute.labels.key/value
value	about.labels.key/value (deprecated) additional.fields

docker_networks

The following table lists the log fields and corresponding UDM mappings for the schema docker_networks and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
id	target.resource.product_object_id
name	about.labels.key/value (deprecated) additional.fields
driver	about.labels.key/value (deprecated) additional.fields
created	target.resource.attribute.creation_time
enable_ipv6	about.labels.key/value (deprecated) additional.fields
subnet	about.labels.key/value (deprecated) additional.fields
gateway	about.labels.key/value (deprecated) additional.fields

ec2_instance_metadata

The following table lists the log fields and corresponding UDM mappings for the schema ec2_instance_metadata and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
instance_id	target.resource.product_object_id
instance_type	about.labels.key/value (deprecated) additional.fields
architecture	about.labels.key/value (deprecated) additional.fields
region	target.location.country_or_region
availability_zone	about.labels.key/value (deprecated) additional.fields
local_hostname	target.hostname
local_ipv4	target.ip
mac	target.mac
security_groups	about.labels.key/value (deprecated) additional.fields
iam_arn	about.labels.key/value (deprecated) additional.fields
ami_id	about.labels.key/value (deprecated) additional.fields
reservation_id	about.labels.key/value (deprecated) additional.fields
account_id	target.user.userid
ssh_public_key	about.labels.key/value (deprecated) additional.fields

es_process_events

The following table lists the log fields and corresponding UDM mappings for the schema es_process_events and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
version	target.platform_version
seq_num	about.labels.key/value (deprecated) additional.fields
global_seq_num	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
path	target.process.file.full_path
parent	target.process.parent_process.pid
original_parent	about.labels.key/value (deprecated) additional.fields
cmdline	target.process.command_line
cmdline_count	about.labels.key/value (deprecated) additional.fields
env	about.labels.key/value (deprecated) additional.fields
env_count	about.labels.key/value (deprecated) additional.fields
cwd	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
euid	about.labels.key/value (deprecated) additional.fields
gid	target.group.product_object_id
egid	about.labels.key/value (deprecated) additional.fields
username	target.user.user_display_name
signing_id	about.labels.key/value (deprecated) additional.fields
team_id	about.labels.key/value (deprecated) additional.fields
cdhash	about.labels.key/value (deprecated) additional.fields
platform_binary	about.labels.key/value (deprecated) additional.fields
exit_code	about.labels.key/value (deprecated) additional.fields
child_pid	about.labels.key/value (deprecated) additional.fields
time	about.labels.key/value (deprecated) additional.fields
event_type	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id

etc_hosts

The following table lists the log fields and corresponding UDM mappings for the schema etc_hosts and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
address	target.ip
hostnames	about.hostname
pid_with_namespace	about.labels.key/value (deprecated) additional.fields

etc_protocols

The following table lists the log fields and corresponding UDM mappings for the schema etc_protocols and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	network.ip_protocol
number	about.labels.key/value (deprecated) additional.fields
alias	about.labels.key/value (deprecated) additional.fields
comment	about.labels.key/value (deprecated) additional.fields

etc_services

The following table lists the log fields and corresponding UDM mappings for the schema etc_services and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	target.resource.name
port	target.port
protocol	network.ip_protocol
aliases	about.labels.key/value (deprecated) additional.fields
comment	about.labels.key/value (deprecated) additional.fields

file

The following table lists the log fields and corresponding UDM mappings for the schema file and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
directory	about.labels.key/value (deprecated) additional.fields
filename	target.file.names
inode	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
gid	target.group.product_object_id
mode	about.labels.key/value (deprecated) additional.fields
device	target.asset.asset_id
size	target.file.size
block_size	about.labels.key/value (deprecated) additional.fields
atime	target.file.last_seen_time
mtime	target.file.last_modification_time
ctime	about.labels.key/value (deprecated) additional.fields
btime	about.labels.key/value (deprecated) additional.fields
hard_links	about.labels.key/value (deprecated) additional.fields
symlink	about.labels.key/value (deprecated) additional.fields
type	about.labels.key/value (deprecated) additional.fields
attributes	about.labels.key/value (deprecated) additional.fields
volume_serial	about.labels.key/value (deprecated) additional.fields
file_id	about.labels.key/value (deprecated) additional.fields
file_version	about.labels.key/value (deprecated) additional.fields
product_version	about.labels.key/value (deprecated) additional.fields
bsd_flags	about.labels.key/value (deprecated) additional.fields
pid_with_namespace	about.labels.key/value (deprecated) additional.fields
mount_namespace_id	about.labels.key/value (deprecated) additional.fields

file_events

The following table lists the log fields and corresponding UDM mappings for the schema file_events and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
operation	about.labels.key/value (deprecated) additional.fields
pid	principal.process.pid
ppid	principal.process.parent_process.pid
time	about.labels.key/value (deprecated) additional.fields
executable	about.labels.key/value (deprecated) additional.fields
partial	about.labels.key/value (deprecated) additional.fields
cwd	about.labels.key/value (deprecated) additional.fields
path	src.file.full_path
dest_path	target.file.full_path
uid	principal.user.userid
gid	principal.group.product_object_id
auid	about.labels.key/value (deprecated) additional.fields
euid	about.labels.key/value (deprecated) additional.fields
egid	about.labels.key/value (deprecated) additional.fields
fsuid	about.labels.key/value (deprecated) additional.fields
fsgid	about.labels.key/value (deprecated) additional.fields
suid	about.labels.key/value (deprecated) additional.fields
sgid	about.labels.key/value (deprecated) additional.fields
uptime	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id

gatekeeper

The following table lists the log fields and corresponding UDM mappings for the schema gatekeeper and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
assessments_enabled	about.labels.key/value (deprecated) additional.fields
dev_id_enabled	about.labels.key/value (deprecated) additional.fields
version	target.asset.software.version
opaque_version	about.labels.key/value (deprecated) additional.fields

gatekeeper_approved_apps

The following table lists the log fields and corresponding UDM mappings for the schema gatekeeper_approved_apps and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
requirement	about.labels.key/value (deprecated) additional.fields
ctime	about.labels.key/value (deprecated) additional.fields
mtime	target.resource.attribute.last_update_time

groups

The following table lists the log fields and corresponding UDM mappings for the schema groups and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
gid	target.group.attribute.labels.key/value
gid_signed	target.group.attribute.labels.key/value
groupname	target.group.group_display_name
group_sid	target.group.product_object_id
comment	target.group.attribute.labels.key/value
is_hidden	target.group.attribute.labels.key/value
pid_with_namespace	target.group.attribute.labels.key/value

hardware_events

The following table lists the log fields and corresponding UDM mappings for the schema hardware_events and OS Linux, macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
action	security_result.action_details
path	target.asset.attribute.labels.key/value
type	target.asset.attribute.labels.key/value
driver	target.asset.attribute.labels.key/value
vendor	target.asset.attribute.labels.key/value
vendor_id	target.asset.attribute.labels.key/value
model	target.asset.hardware.model
model_id	target.asset.attribute.labels.key/value
serial	target.asset.attribute.labels.key/value
revision	target.asset.attribute.labels.key/value
time	metadata.event_timestamp
eid	metadata.product_log_id

hash

The following table lists the log fields and corresponding UDM mappings for the schema hash and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
directory	about.labels.key/value (deprecated) additional.fields
md5	target.file.md5
sha1	target.file.sha1
sha256	target.file.sha256
pid_with_namespace	about.labels.key/value (deprecated) additional.fields
mount_namespace_id	about.labels.key/value (deprecated) additional.fields

interface_addresses

The following table lists the log fields and corresponding UDM mappings for the schema interface_addresses and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
interface	about.labels.key/value (deprecated) additional.fields
address	target.ip
mask	about.labels.key/value (deprecated) additional.fields
broadcast	about.labels.key/value (deprecated) additional.fields
point_to_point	about.labels.key/value (deprecated) additional.fields
type	about.labels.key/value (deprecated) additional.fields
friendly_name	about.labels.key/value (deprecated) additional.fields

interface_details

The following table lists the log fields and corresponding UDM mappings for the schema interface_details and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
interface	about.labels.key/value (deprecated) additional.fields
mac	target.mac
type	about.labels.key/value (deprecated) additional.fields
mtu	about.labels.key/value (deprecated) additional.fields
metric	about.labels.key/value (deprecated) additional.fields
flags	about.labels.key/value (deprecated) additional.fields
ipackets	about.labels.key/value (deprecated) additional.fields
opackets	about.labels.key/value (deprecated) additional.fields
ibytes	network.sent_bytes
obytes	network.received_bytes
ierrors	about.labels.key/value (deprecated) additional.fields
oerrors	about.labels.key/value (deprecated) additional.fields
idrops	about.labels.key/value (deprecated) additional.fields
odrops	about.labels.key/value (deprecated) additional.fields
collisions	about.labels.key/value (deprecated) additional.fields
last_change	about.labels.key/value (deprecated) additional.fields
link_speed	about.labels.key/value (deprecated) additional.fields
pci_slot	about.labels.key/value (deprecated) additional.fields
friendly_name	about.labels.key/value (deprecated) additional.fields
description	about.labels.key/value (deprecated) additional.fields
manufacturer	target.asset.hardware.manufacturer
connection_id	about.labels.key/value (deprecated) additional.fields
connection_status	about.labels.key/value (deprecated) additional.fields
enabled	about.labels.key/value (deprecated) additional.fields
physical_adapter	about.labels.key/value (deprecated) additional.fields
speed	about.labels.key/value (deprecated) additional.fields
service	target.application
dhcp_enabled	about.labels.key/value (deprecated) additional.fields
dhcp_lease_expires	network.dhcp.lease_time_seconds
dhcp_lease_obtained	about.labels.key/value (deprecated) additional.fields
dhcp_server	network.dhcp.yiaddr
dns_domain	network.dns.questions.name
dns_domain_suffix_search_order	about.labels.key/value (deprecated) additional.fields
dns_host_name	about.labels.key/value (deprecated) additional.fields
dns_server_search_order	about.labels.key/value (deprecated) additional.fields

interface_ipv6

The following table lists the log fields and corresponding UDM mappings for the schema interface_ipv6 and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
interface	about.labels.key/value (deprecated) additional.fields
hop_limit	about.labels.key/value (deprecated) additional.fields
forwarding_enabled	about.labels.key/value (deprecated) additional.fields
redirect_accept	about.labels.key/value (deprecated) additional.fields
rtadv_accept	about.labels.key/value (deprecated) additional.fields

iptables

The following table lists the log fields and corresponding UDM mappings for the schema iptables and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
filter_name	about.labels.key/value (deprecated) additional.fields
chain	about.labels.key/value (deprecated) additional.fields
policy	about.labels.key/value (deprecated) additional.fields
target	about.labels.key/value (deprecated) additional.fields
protocol	about.labels.key/value (deprecated) additional.fields
src_port	src.port
dst_port	target.port
src_ip	src.ip
src_mask	about.labels.key/value (deprecated) additional.fields
iniface	about.labels.key/value (deprecated) additional.fields
iniface_mask	about.labels.key/value (deprecated) additional.fields
dst_ip	target.ip
dst_mask	about.labels.key/value (deprecated) additional.fields
outiface	about.labels.key/value (deprecated) additional.fields
outiface_mask	about.labels.key/value (deprecated) additional.fields
match	about.labels.key/value (deprecated) additional.fields
packets	about.labels.key/value (deprecated) additional.fields
bytes	network.received_bytes

kernel_panics

The following table lists the log fields and corresponding UDM mappings for the schema kernel_panics and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
time	about.labels.key/value (deprecated) additional.fields
registers	about.labels.key/value (deprecated) additional.fields
frame_backtrace	about.labels.key/value (deprecated) additional.fields
module_backtrace	about.labels.key/value (deprecated) additional.fields
dependencies	about.labels.key/value (deprecated) additional.fields
name	target.process.command_line
os_version	target.platform_version
kernel_version	about.labels.key/value (deprecated) additional.fields
system_model	target.asset.hardware.model
uptime	about.labels.key/value (deprecated) additional.fields
last_loaded	about.labels.key/value (deprecated) additional.fields
last_unloaded	about.labels.key/value (deprecated) additional.fields

keychain_acls

The following table lists the log fields and corresponding UDM mappings for the schema keychain_acls and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
keychain_path	about.labels.key/value (deprecated) additional.fields
authorizations	about.labels.key/value (deprecated) additional.fields
path	target.file.full_path
description	metadata.description
label	about.labels.key/value (deprecated) additional.fields

known_hosts

The following table lists the log fields and corresponding UDM mappings for the schema known_hosts and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
uid	target.user.userid
key	about.labels.key/value (deprecated) additional.fields
key_file	target.file.full_path

last

The following table lists the log fields and corresponding UDM mappings for the schema last and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
username	target.user.user_display_name
tty	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
type	about.labels.key/value (deprecated) additional.fields
type_name	about.labels.key/value (deprecated) additional.fields
time	about.labels.key/value (deprecated) additional.fields
host	target.hostname

listening_ports

The following table lists the log fields and corresponding UDM mappings for the schema listening_ports and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
pid	target.process.pid
port	target.port
protocol	network.ip_protocol
family	about.labels.key/value (deprecated) additional.fields
address	target.ip
fd	about.labels.key/value (deprecated) additional.fields
socket	about.labels.key/value (deprecated) additional.fields
path	target.process.file.full_path
net_namespace	about.labels.key/value (deprecated) additional.fields

logged_in_users

The following table lists the log fields and corresponding UDM mappings for the schema logged_in_users and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
type	about.labels.key/value (deprecated) additional.fields
user	target.user.userid
tty	about.labels.key/value (deprecated) additional.fields
host	target.hostname
time	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
sid	about.labels.key/value (deprecated) additional.fields
registry_hive	about.labels.key/value (deprecated) additional.fields

logon_sessions

The following table lists the log fields and corresponding UDM mappings for the schema logon_sessions and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
logon_id	about.labels.key/value (deprecated) additional.fields
user	target.user.user_display_name
logon_domain	about.labels.key/value (deprecated) additional.fields
authentication_package	about.labels.key/value (deprecated) additional.fields
logon_type	about.labels.key/value (deprecated) additional.fields
session_id	network.session_id
logon_sid	about.labels.key/value (deprecated) additional.fields
logon_time	about.labels.key/value (deprecated) additional.fields
logon_server	about.labels.key/value (deprecated) additional.fields
dns_domain_name	network.dns_domain
upn	about.labels.key/value (deprecated) additional.fields
logon_script	about.labels.key/value (deprecated) additional.fields
profile_path	target.file.full_path
home_directory	about.labels.key/value (deprecated) additional.fields
home_directory_drive	about.labels.key/value (deprecated) additional.fields

lxd_certificates

The following table lists the log fields and corresponding UDM mappings for the schema lxd_certificates and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	security_result.detection_fields.key/value
type	security_result.detection_fields.key/value
fingerprint	security_result.detection_fields.key/value
certificate	security_result.detection_fields.key/value

lxd_networks

The following table lists the log fields and corresponding UDM mappings for the schema lxd_networks and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	about.labels.key/value (deprecated) additional.fields
type	about.labels.key/value (deprecated) additional.fields
managed	about.labels.key/value (deprecated) additional.fields
ipv4_address	about.labels.key/value (deprecated) additional.fields
ipv6_address	about.labels.key/value (deprecated) additional.fields
used_by	about.labels.key/value (deprecated) additional.fields
bytes_received	network.received_bytes
bytes_sent	network.sent_bytes
packets_received	about.labels.key/value (deprecated) additional.fields
packets_sent	about.labels.key/value (deprecated) additional.fields
hwaddr	about.labels.key/value (deprecated) additional.fields
state	about.labels.key/value (deprecated) additional.fields
mtu	about.labels.key/value (deprecated) additional.fields

managed_policies

The following table lists the log fields and corresponding UDM mappings for the schema managed_policies and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
domain	target.administrative_domain
uuid	about.labels.key/value (deprecated) additional.fields
name	about.labels.key/value (deprecated) additional.fields
value	about.labels.key/value (deprecated) additional.fields
username	target.user.user_display_name
manual	about.labels.key/value (deprecated) additional.fields

memory_devices

The following table lists the log fields and corresponding UDM mappings for the schema memory_devices and OS Linux, macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
handle	about.labels.key/value (deprecated) additional.fields
array_handle	about.labels.key/value (deprecated) additional.fields
form_factor	about.labels.key/value (deprecated) additional.fields
total_width	about.labels.key/value (deprecated) additional.fields
data_width	about.labels.key/value (deprecated) additional.fields
size	about.labels.key/value (deprecated) additional.fields
set	about.labels.key/value (deprecated) additional.fields
device_locator	about.labels.key/value (deprecated) additional.fields
bank_locator	about.labels.key/value (deprecated) additional.fields
memory_type	about.labels.key/value (deprecated) additional.fields
memory_type_details	about.labels.key/value (deprecated) additional.fields
max_speed	about.labels.key/value (deprecated) additional.fields
configured_clock_speed	about.labels.key/value (deprecated) additional.fields
manufacturer	target.asset.hardware.manufacturer
serial_number	target.asset.hardware.serial_number
asset_tag	target.asset.asset_id
part_number	about.labels.key/value (deprecated) additional.fields
min_voltage	about.labels.key/value (deprecated) additional.fields
max_voltage	about.labels.key/value (deprecated) additional.fields
configured_voltage	about.labels.key/value (deprecated) additional.fields

ntdomains

The following table lists the log fields and corresponding UDM mappings for the schema ntdomains and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	about.labels.key/value (deprecated) additional.fields
client_site_name	about.labels.key/value (deprecated) additional.fields
dc_site_name	about.labels.key/value (deprecated) additional.fields
dns_forest_name	network.dns.questions.name
domain_controller_address	target.ip
domain_controller_name	about.labels.key/value (deprecated) additional.fields
domain_name	target.administrative_domain
status	about.labels.key/value (deprecated) additional.fields

ntfs_acl_permissions

The following table lists the log fields and corresponding UDM mappings for the schema ntfs_acl_permissions and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
type	about.labels.key/value (deprecated) additional.fields
principal	about.labels.key/value (deprecated) additional.fields
access	about.labels.key/value (deprecated) additional.fields
inherited_from	about.labels.key/value (deprecated) additional.fields

os_version

The following table lists the log fields and corresponding UDM mappings for the schema os_version and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	about.labels.key/value (deprecated) additional.fields
version	principal.platform_version
major	about.labels.key/value (deprecated) additional.fields
minor	about.labels.key/value (deprecated) additional.fields
patch	principal.platform_patch_level
build	about.labels.key/value (deprecated) additional.fields
platform	principal.platform
platform_like	about.labels.key/value (deprecated) additional.fields
codename	about.labels.key/value (deprecated) additional.fields
arch	about.labels.key/value (deprecated) additional.fields
install_date	about.labels.key/value (deprecated) additional.fields
pid_with_namespace	about.labels.key/value (deprecated) additional.fields
mount_namespace_id	about.labels.key/value (deprecated) additional.fields

osquery_events

The following table lists the log fields and corresponding UDM mappings for the schema osquery_events and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	target.resource.name
publisher	about.label.key/value
type	about.label.key/value
subscriptions	about.label.key/value
events	about.label.key/value
refreshes	about.label.key/value
active	about.label.key/value

patches

The following table lists the log fields and corresponding UDM mappings for the schema patches and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
csname	target.hostname
hotfix_id	about.labels.key/value (deprecated) additional.fields
caption	about.labels.key/value (deprecated) additional.fields
description	metadata.description
fix_comments	about.labels.key/value (deprecated) additional.fields
installed_by	about.labels.key/value (deprecated) additional.fields
install_date	about.labels.key/value (deprecated) additional.fields
installed_on	about.labels.key/value (deprecated) additional.fields

pci_devices

The following table lists the log fields and corresponding UDM mappings for the schema pci_devices and OS Linux, macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
pci_slot	principal.labels.key/value (deprecated) additional.fields
pci_class	principal.labels.key/value (deprecated) additional.fields
driver	principal.labels.key/value (deprecated) additional.fields
vendor	principal.labels.key/value (deprecated) additional.fields
vendor_id	principal.labels.key/value (deprecated) additional.fields
model	principal.asset.hardware.model
model_id	principal.labels.key/value (deprecated) additional.fields
subsystem	principal.labels.key/value (deprecated) additional.fields
express	principal.labels.key/value (deprecated) additional.fields
thunderbolt	principal.labels.key/value (deprecated) additional.fields
removable	principal.labels.key/value (deprecated) additional.fields
pci_class_id	principal.labels.key/value (deprecated) additional.fields
pci_subclass_id	principal.labels.key/value (deprecated) additional.fields
pci_subclass	principal.labels.key/value (deprecated) additional.fields
subsystem_vendor_id	principal.labels.key/value (deprecated) additional.fields
subsystem_vendor	principal.labels.key/value (deprecated) additional.fields
subsystem_model_id	principal.labels.key/value (deprecated) additional.fields
subsystem_model	principal.labels.key/value (deprecated) additional.fields

pipes

The following table lists the log fields and corresponding UDM mappings for the schema pipes and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
pid	target.process.pid
name	target.resource.name
instances	about.labels.key/value (deprecated) additional.fields
max_instances	about.labels.key/value (deprecated) additional.fields
flags	about.labels.key/value (deprecated) additional.fields

powershell_events

The following table lists the log fields and corresponding UDM mappings for the schema powershell_events and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
time	metadata.collected_timestamp
datetime	about.labels.key/value (deprecated) additional.fields
script_block_id	about.labels.key/value (deprecated) additional.fields
script_block_count	about.labels.key/value (deprecated) additional.fields
script_text	about.labels.key/value (deprecated) additional.fields
script_name	about.labels.key/value (deprecated) additional.fields
script_path	target.file.full_path
cosine_similarity	about.labels.key/value (deprecated) additional.fields

process_envs

The following table lists the log fields and corresponding UDM mappings for the schema process_envs and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
pid	target.process.pid
key	about.labels.key
value	about.labels.value

process_events

The following table lists the log fields and corresponding UDM mappings for the schema process_events and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
version	target.platform_version
seq_num	about.labels.key/value (deprecated) additional.fields
global_seq_num	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
path	target.file.full_path
parent	target.process.parent_process.pid
original_parent	about.labels.key/value (deprecated) additional.fields
cmdline	target.process.command_line
cmdline_count	about.labels.key/value (deprecated) additional.fields
env	about.labels.key/value (deprecated) additional.fields
env_count	about.labels.key/value (deprecated) additional.fields
cwd	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
euid	about.labels.key/value (deprecated) additional.fields
gid	target.group.product_object_id
egid	about.labels.key/value (deprecated) additional.fields
username	target.user.user_display_name
signing_id	about.labels.key/value (deprecated) additional.fields
team_id	about.labels.key/value (deprecated) additional.fields
cdhash	about.labels.key/value (deprecated) additional.fields
platform_binary	about.labels.key/value (deprecated) additional.fields
exit_code	about.labels.key/value (deprecated) additional.fields
child_pid	about.labels.key/value (deprecated) additional.fields
time	about.labels.key/value (deprecated) additional.fields
event_type	about.labels.key/value (deprecated) additional.fields
eid	about.labels.key/value (deprecated) additional.fields

process_file_events

The following table lists the log fields and corresponding UDM mappings for the schema process_file_events and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
operation	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
ppid	target.process.parent_process.pid
time	about.labels.key/value (deprecated) additional.fields
executable	about.labels.key/value (deprecated) additional.fields
partial	about.labels.key/value (deprecated) additional.fields
cwd	about.labels.key/value (deprecated) additional.fields
path	target.file.full_path
dest_path	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
gid	target.group.product_object_id
auid	about.labels.key/value (deprecated) additional.fields
euid	about.labels.key/value (deprecated) additional.fields
egid	about.labels.key/value (deprecated) additional.fields
fsuid	about.labels.key/value (deprecated) additional.fields
fsgid	about.labels.key/value (deprecated) additional.fields
suid	about.labels.key/value (deprecated) additional.fields
sgid	about.labels.key/value (deprecated) additional.fields
uptime	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id

process_open_sockets

The following table lists the log fields and corresponding UDM mappings for the schema process_open_sockets and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
pid	principal.process.pid
fd	about.labels.key/value (deprecated) additional.fields
socket	about.labels.key/value (deprecated) additional.fields
family	about.labels.key/value (deprecated) additional.fields
protocol	about.labels.key/value (deprecated) additional.fields
local_address	principal.ip
remote_address	target.ip
local_port	principal.port
remote_port	target.port
path	target.file.full_path
state	about.labels.key/value (deprecated) additional.fields
net_namespace	about.labels.key/value (deprecated) additional.fields

processes

The following table lists the log fields and corresponding UDM mappings for the schema processes and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
pid	target.process.pid
name	about.labels.key/value (deprecated) additional.fields
path	target.process.file.full_path
cmdline	target.process.command_line
state	target.process.attribute.labels.key/value
cwd	about.labels.key/value (deprecated) additional.fields
root	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
gid	target.group.product_object_id
euid	about.labels.key/value (deprecated) additional.fields
egid	about.labels.key/value (deprecated) additional.fields
suid	about.labels.key/value (deprecated) additional.fields
sgid	about.labels.key/value (deprecated) additional.fields
on_disk	about.labels.key/value (deprecated) additional.fields
wired_size	about.labels.key/value (deprecated) additional.fields
resident_size	about.labels.key/value (deprecated) additional.fields
total_size	about.labels.key/value (deprecated) additional.fields
user_time	about.labels.key/value (deprecated) additional.fields
system_time	about.labels.key/value (deprecated) additional.fields
disk_bytes_read	about.labels.key/value (deprecated) additional.fields
disk_bytes_written	about.labels.key/value (deprecated) additional.fields
start_time	about.labels.key/value (deprecated) additional.fields
parent	target.process.parent_process.pid
pgroup	about.labels.key/value (deprecated) additional.fields
threads	about.labels.key/value (deprecated) additional.fields
nice	about.labels.key/value (deprecated) additional.fields
elevated_token	about.labels.key/value (deprecated) additional.fields
secure_process	about.labels.key/value (deprecated) additional.fields
protection_type	about.labels.key/value (deprecated) additional.fields
virtual_process	about.labels.key/value (deprecated) additional.fields
elapsed_time	about.labels.key/value (deprecated) additional.fields
handle_count	about.labels.key/value (deprecated) additional.fields
percent_processor_time	about.labels.key/value (deprecated) additional.fields
upid	about.labels.key/value (deprecated) additional.fields
uppid	about.labels.key/value (deprecated) additional.fields
cpu_type	about.labels.key/value (deprecated) additional.fields
cpu_subtype	about.labels.key/value (deprecated) additional.fields

programs

The following table lists the log fields and corresponding UDM mappings for the schema programs and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	target.resource.name
version	target.platform_version
install_location	about.labels.key/value (deprecated) additional.fields
install_source	about.labels.key/value (deprecated) additional.fields
language	about.labels.key/value (deprecated) additional.fields
publisher	about.labels.key/value (deprecated) additional.fields
uninstall_string	target.file.full_path
install_date	about.labels.key/value (deprecated) additional.fields
identifying_number	about.labels.key/value (deprecated) additional.fields

scheduled_tasks

The following table lists the log fields and corresponding UDM mappings for the schema scheduled_tasks and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	target.resource.name
action	security_result.action_details
path	target.file.full_path
enabled	about.labels.key/value (deprecated) additional.fields
state	about.labels.key/value (deprecated) additional.fields
hidden	about.labels.key/value (deprecated) additional.fields
last_run_time	about.labels.key/value (deprecated) additional.fields
next_run_time	about.labels.key/value (deprecated) additional.fields
last_run_message	about.labels.key/value (deprecated) additional.fields
last_run_code	about.labels.key/value (deprecated) additional.fields

seccomp_events

The following table lists the log fields and corresponding UDM mappings for the schema seccomp_events and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
time	about.labels.key/value (deprecated) additional.fields
uptime	about.labels.key/value (deprecated) additional.fields
auid	about.labels.key/value (deprecated) additional.fields
uid	target.user.userid
gid	target.group.product_object_id
ses	about.labels.key/value (deprecated) additional.fields
pid	target.process.pid
comm	about.labels.key/value (deprecated) additional.fields
exe	target.file.full_path
sig	about.labels.key/value (deprecated) additional.fields
arch	about.labels.key/value (deprecated) additional.fields
syscall	about.labels.key/value (deprecated) additional.fields
compat	about.labels.key/value (deprecated) additional.fields
ip	about.labels.key/value (deprecated) additional.fields
code	about.labels.key/value (deprecated) additional.fields

seLinux_events

The following table lists the log fields and corresponding UDM mappings for the schema seLinux_events and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
type	about.labels.key/value (deprecated) additional.fields
message	metadata.description
time	about.labels.key/value (deprecated) additional.fields
uptime	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id

shadow

The following table lists the log fields and corresponding UDM mappings for the schema shadow and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
password_status	about.labels.key/value (deprecated) additional.fields
hash_alg	about.labels.key/value (deprecated) additional.fields
last_change	about.labels.key/value (deprecated) additional.fields
min	about.labels.key/value (deprecated) additional.fields
max	about.labels.key/value (deprecated) additional.fields
warning	about.labels.key/value (deprecated) additional.fields
inactive	about.labels.key/value (deprecated) additional.fields
expire	about.labels.key/value (deprecated) additional.fields
flag	about.labels.key/value (deprecated) additional.fields
username	principal.user.user_display_name

shell_history

The following table lists the log fields and corresponding UDM mappings for the schema shell_history and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
uid	principal.user.userid
time	about.labels.key/value (deprecated) additional.fields
command	principal.process.command_line
history_file	principal.process.file.full_path

shimcache

The following table lists the log fields and corresponding UDM mappings for the schema shimcache and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
entry	about.labels.key/value (deprecated) additional.fields
path	target.file.full_path
modified_time	target.file.last_modification_time
execution_flag	about.labels.key/value (deprecated) additional.fields

signature

The following table lists the log fields and corresponding UDM mappings for the schema signature and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
hash_resources	about.labels.key/value (deprecated) additional.fields
arch	about.labels.key/value (deprecated) additional.fields
signed	target.file.pe_file.signature_info.verified
identifier	target.file.pe_file.signature_info.signer
cdhash	about.labels.key/value (deprecated) additional.fields
team_identifier	about.labels.key/value (deprecated) additional.fields
authority	about.labels.key/value (deprecated) additional.fields

sip_config

The following table lists the log fields and corresponding UDM mappings for the schema sip_config and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
config_flag	about.labels.key/value (deprecated) additional.fields
enabled	about.labels.key/value (deprecated) additional.fields
enabled_nvram	about.labels.key/value (deprecated) additional.fields

socket_events

The following table lists the log fields and corresponding UDM mappings for the schema socket_events and OS Linux, macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
action	security_result.action_details
pid	target.process.pid
path	target.process.file.full_path
fd	about.labels.key/value (deprecated) additional.fields
auid	target.user.userid
status	about.labels.key/value (deprecated) additional.fields
family	about.labels.key/value (deprecated) additional.fields
protocol	about.labels.key/value (deprecated) additional.fields
local_address	principal.ip
remote_address	target.ip
local_port	principal.port
remote_port	target.port
socket	about.labels.key/value (deprecated) additional.fields
time	about.labels.key/value (deprecated) additional.fields
uptime	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id
success	about.labels.key/value (deprecated) additional.fields

sudoers

The following table lists the log fields and corresponding UDM mappings for the schema sudoers and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
source	about.labels.key/value (deprecated) additional.fields
header	about.labels.key/value (deprecated) additional.fields
rule_details	about.labels.key/value (deprecated) additional.fields

syslog_events

The following table lists the log fields and corresponding UDM mappings for the schema syslog_events and OS Linux:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
time	about.labels.key/value (deprecated) additional.fields
datetime	about.labels.key/value (deprecated) additional.fields
host	target.hostname
severity	security_result.severity (enum)
facility	about.labels.key/value (deprecated) additional.fields
tag	about.labels.key/value (deprecated) additional.fields
message	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id

system_info

The following table lists the log fields and corresponding UDM mappings for the schema system_info and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
hostname	principal.administrative_domain
uuid	about.labels.key/value (deprecated) additional.fields
cpu_type	about.labels.key/value (deprecated) additional.fields
cpu_subtype	about.labels.key/value (deprecated) additional.fields
cpu_brand	about.labels.key/value (deprecated) additional.fields
cpu_physical_cores	about.labels.key/value (deprecated) additional.fields
cpu_logical_cores	principal.asset.hardware.cpu_number_cores
cpu_microcode	about.labels.key/value (deprecated) additional.fields
physical_memory	about.labels.key/value (deprecated) additional.fields
hardware_vendor	about.labels.key/value (deprecated) additional.fields
hardware_model	principal.asset.hardware.model
hardware_version	about.labels.key/value (deprecated) additional.fields
hardware_serial	principal.asset.hardware.serial_number
board_vendor	about.labels.key/value (deprecated) additional.fields
board_model	about.labels.key/value (deprecated) additional.fields
board_version	about.labels.key/value (deprecated) additional.fields
board_serial	about.labels.key/value (deprecated) additional.fields
computer_name	about.labels.key/value (deprecated) additional.fields
local_hostname	about.labels.key/value (deprecated) additional.fields

tpm_info

The following table lists the log fields and corresponding UDM mappings for the schema tpm_info and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
activated	about.labels.key/value (deprecated) additional.fields
enabled	about.labels.key/value (deprecated) additional.fields
owned	about.labels.key/value (deprecated) additional.fields
manufacturer_version	about.labels.key/value (deprecated) additional.fields
manufacturer_id	about.labels.key/value (deprecated) additional.fields
manufacturer_name	principal.aseet.hardware.manufacturer
product_name	principal.resource.name
physical_presence_version	about.labels.key/value (deprecated) additional.fields
spec_version	about.labels.key/value (deprecated) additional.fields

usb_devices

The following table lists the log fields and corresponding UDM mappings for the schema usb_devices and OS Linux, macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
usb_address	about.labels.key/value (deprecated) additional.fields
usb_port	about.labels.key/value (deprecated) additional.fields
vendor	about.labels.key/value (deprecated) additional.fields
vendor_id	about.labels.key/value (deprecated) additional.fields
version	about.labels.key/value (deprecated) additional.fields
model	target.asset.hardware.model
model_id	about.labels.key/value (deprecated) additional.fields
serial	target.asset.hardware.serial_number
class	about.labels.key/value (deprecated) additional.fields
subclass	about.labels.key/value (deprecated) additional.fields
protocol	about.labels.key/value (deprecated) additional.fields
removable	about.labels.key/value (deprecated) additional.fields

user_events

The following table lists the log fields and corresponding UDM mappings for the schema user_events and OS Linux, macOS, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
uid	principal.user.userid
auid	principal.user.attribute.labels.key/value
pid	target.process.pid
message	metadata.description
type	about.labels.key/value (deprecated) additional.fields
path	target.file.full_path
address	about.labels.key/value (deprecated) additional.fields
terminal	about.labels.key/value (deprecated) additional.fields
time	metadata.collected_timestamp
uptime	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id

user_groups

The following table lists the log fields and corresponding UDM mappings for the schema user_groups and OS Linux, macOS, Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
uid	principal.user.userid
gid	principal.group.product_object_id

users

The following table lists the log fields and corresponding UDM mappings for the schema users and OS macOS, Linux, Windows, freebsd:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
uid	principal.user.userid
gid	principal.user.group_identifiers(repeated)
uid_signed	about.labels.key/value (deprecated) additional.fields
gid_signed	about.labels.key/value (deprecated) additional.fields
username	principal.user.user_display_name
description	about.labels.key/value (deprecated) additional.fields
directory	about.labels.key/value (deprecated) additional.fields
shell	about.labels.key/value (deprecated) additional.fields
uuid	principal.user.product_object_id
type	about.labels.key/value (deprecated) additional.fields
is_hidden	about.labels.key/value (deprecated) additional.fields
pid_with_namespace	about.labels.key/value (deprecated) additional.fields

wifi_networks

The following table lists the log fields and corresponding UDM mappings for the schema wifi_networks and OS macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
ssid	target.labels.key/value (deprecated) additional.fields
network_name	target.labels.key/value (deprecated) additional.fields
security_type	target.labels.key/value (deprecated) additional.fields
last_connected	about.labels.key/value (deprecated) additional.fields
passpoint	about.labels.key/value (deprecated) additional.fields
possibly_hidden	about.labels.key/value (deprecated) additional.fields
roaming	about.labels.key/value (deprecated) additional.fields
roaming_profile	about.labels.key/value (deprecated) additional.fields
captive_portal	about.labels.key/value (deprecated) additional.fields
auto_login	target.labels.key/value (deprecated) additional.fields
temporarily_disabled	target.labels.key/value (deprecated) additional.fields
disabled	target.labels.key/value (deprecated) additional.fields

windows_crashes

The following table lists the log fields and corresponding UDM mappings for the schema Windows_crashes and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
datetime	about.labels.key/value (deprecated) additional.fields
module	about.labels.key/value (deprecated) additional.fields
path	target.process.file.full_path
pid	target.process.pid
tid	about.labels.key/value (deprecated) additional.fields
version	about.labels.key/value (deprecated) additional.fields
process_uptime	about.labels.key/value (deprecated) additional.fields
stack_trace	about.labels.key/value (deprecated) additional.fields
exception_code	about.labels.key/value (deprecated) additional.fields
exception_message	about.labels.key/value (deprecated) additional.fields
exception_address	about.labels.key/value (deprecated) additional.fields
registers	about.labels.key/value (deprecated) additional.fields
command_line	target.process.command_line
current_directory	about.labels.key/value (deprecated) additional.fields
username	target.user.user_display_name
machine_name	about.labels.key/value (deprecated) additional.fields
major_version	about.labels.key/value (deprecated) additional.fields
minor_version	about.labels.key/value (deprecated) additional.fields
build_number	target.platform_version
type	about.labels.key/value (deprecated) additional.fields
crash_path	about.labels.key/value (deprecated) additional.fields

windows_eventlog

The Windows Event (WINEVTLOG) parser maps these events. See Collect Microsoft Windows Event data for more information."

windows_events

The Windows Event (WINEVTLOG) parser maps these events. See Collect Microsoft Windows Event data for more information.

windows_firewall_rules

The following table lists the log fields and corresponding UDM mappings for the schema Windows_firewall_rules and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
name	about.labels.key/value (deprecated) additional.fields
app_name	target.application
action	security_result.action (enum)
enabled	about.labels.key/value (deprecated) additional.fields
grouping	about.labels.key/value (deprecated) additional.fields
direction	network.direction
protocol	network.ip_protocol
local_addresses	principal.ip
remote_addresses	target.ip
local_ports	principal.port
remote_ports	target.port
icmp_types_codes	about.labels.key/value (deprecated) additional.fields
profile_domain	about.labels.key/value (deprecated) additional.fields
profile_private	about.labels.key/value (deprecated) additional.fields
profile_public	about.labels.key/value (deprecated) additional.fields
service_name	about.labels.key/value (deprecated) additional.fields

windows_security_center

The following table lists the log fields and corresponding UDM mappings for the schema Windows_security_center and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
firewall	security_result.detection_fields.key/value
autoupdate	security_result.detection_fields.key/value
antivirus	security_result.detection_fields.key/value
antispyware	security_result.detection_fields.key/value
internet_settings	security_result.detection_fields.key/value
Windows_security_center_service	security_result.detection_fields.key/value
user_account_control	security_result.detection_fields.key/value

windows_security_products

The following table lists the log fields and corresponding UDM mappings for the schema Windows_security_products and OS Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
type	about.labels.key/value (deprecated) additional.fields
name	target.resource.name
state	about.labels.key/value (deprecated) additional.fields
state_timestamp	about.labels.key/value (deprecated) additional.fields
remediation_path	about.labels.key/value (deprecated) additional.fields
signatures_up_to_date	about.labels.key/value (deprecated) additional.fields

wmi_bios_info

The following table lists the log fields and corresponding UDM mappings for the schema wmi_bios_info and OS Windows:

Log field

UDM mapping

metadata.event_type is mapped to SETTING_MODIFICATION

name

about.labels.key/value (deprecated)

additional.fields

value

about.labels.key/value (deprecated)

additional.fields

yara

The following table lists the log fields and corresponding UDM mappings for the schema yara and OS Linux, macOS, freebsd, Windows:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
path	target.file.full_path
matches	about.labels.key/value (deprecated) additional.fields
count	about.labels.key/value (deprecated) additional.fields
sig_group	security_result.detection_fields.key/value
sigfile	security_result.detection_fields.key/value
sigrule	security_result.detection_fields.key/value
strings	about.labels.key/value (deprecated) additional.fields
tags	about.labels.key/value (deprecated) additional.fields
sigurl	security_result.detection_fields.key/value

yara_events

The following table lists the log fields and corresponding UDM mappings for the schema yara_events and OS Linux, macOS:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION
target_path	target.file.full_path
category	about.labels.key/value (deprecated) additional.fields
action	security_result.action_details
transaction_id	security_result.detection_fields.key/value
matches	about.labels.key/value (deprecated) additional.fields
count	about.labels.key/value (deprecated) additional.fields
strings	about.labels.key/value (deprecated) additional.fields
tags	about.labels.key/value (deprecated) additional.fields
time	about.labels.key/value (deprecated) additional.fields
eid	metadata.product_log_id