Jamf Protect 원격 분석 로그 수집
이 문서에서는 Google Security Operations 피드를 설정하여 Jamf Protect 원격 분석 로그를 수집하는 방법과 로그 필드가 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑되는 방식을 설명합니다. 이 문서에서는 지원되는 Jamf Protect 원격 분석 버전도 보여줍니다.
자세한 내용은 Google Security Operations에 데이터 수집을 참조하세요.
일반적인 배포는 Google Security Operations에 로그를 전송하도록 구성된 Google Security Operations 피드와 Jamf Protect 원격 분석으로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다.
배포에는 다음 구성요소가 포함됩니다.
- Jamf Protect 원격 분석 로그를 수집하는 Jamf Protect 원격 분석 플랫폼입니다. 
- Google Security Operations 피드. Jamf Protect 원격 분석에서 로그를 가져오고 로그를 Google Security Operations에 작성하는 Google Security Operations 피드입니다. 
- Google Security Operations. Google Security Operations는 Jamf Protect 원격 분석의 로그를 보관하고 분석합니다. 
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 JAMF_TELEMETRY 수집 라벨이 있는 파서에 적용됩니다.
시작하기 전에
다음 기본 요건이 충족되었는지 확인합니다.
- Jamf Protect 원격 분석 설정
- Jamf Protect 버전 4.0.0 이상
- 배포 아키텍처의 모든 시스템은 UTC 시간대로 구성됩니다.
SIEM 설정 > 피드에서 피드 설정
Amazon S3 V2 또는 웹훅을 사용하여 Google Security Operations에서 수집 피드를 설정할 수 있습니다.
Amazon S3 V2를 사용하여 Google SecOps에서 수집 피드 설정
- SIEM 설정> 피드로 이동합니다.
- 새 피드 추가를 클릭합니다.
- JAMF 피드 팩을 클릭합니다.
- Jamf Protect 원격 분석 로그 유형을 찾습니다.
- 소스 유형으로 Amazon S3 V2를 선택합니다.
- 다음 필드의 값을 지정합니다. - S3 URI: 버킷 URI입니다.
- s3://your-log-bucket-name/- your-log-bucket-name을 실제 S3 버킷 이름으로 바꿉니다.
 
 
- 소스 삭제 옵션: 수집 환경설정에 따라 삭제 옵션을 선택합니다.
- 액세스 키 ID: S3 버킷에서 읽을 권한이 있는 사용자의 액세스 키입니다.
- 최대 파일 기간: 지난 일수 동안 수정된 파일을 포함합니다. 기본값은 180일입니다.
- 보안 비밀 액세스 키: S3 버킷에서 읽을 수 있는 권한이 있는 사용자의 보안 비밀 키입니다.
 - 고급 옵션 - 피드 이름: 피드를 식별하는 미리 채워진 값입니다.
- 애셋 네임스페이스: 피드와 연결된 네임스페이스입니다.
- 수집 라벨: 이 피드의 모든 이벤트에 적용되는 라벨입니다.
 
- S3 URI: 버킷 URI입니다.
- 피드 만들기를 클릭합니다. 
웹훅을 사용하여 Google SecOps에서 수집 피드 설정
- SIEM 설정> 피드로 이동합니다.
- 새 피드 추가를 클릭합니다.
- JAMF 피드 팩을 클릭합니다.
- Jamf Protect 원격 분석 로그 유형을 찾습니다.
- 소스 유형 목록에서 웹훅을 선택합니다.
- 다음 필드에 값을 지정합니다.
- 분할 구분 기호: 로그 줄을 구분하는 데 사용되는 구분 기호입니다(예: \n).
- 애셋 네임스페이스: 애셋 네임스페이스입니다.
- 수집 라벨: 이 피드의 이벤트에 적용할 라벨입니다.
 
- 분할 구분 기호: 로그 줄을 구분하는 데 사용되는 구분 기호입니다(예: 
- 피드 만들기를 클릭합니다.
이 제품군 내에서 다양한 로그 유형에 대해 여러 피드를 구성하려면 제품별 피드 구성을 참고하세요.
웹훅 피드에 대한 API 키 만들기
- Google Cloud 콘솔 > 사용자 인증 정보로 이동합니다. 
- 사용자 인증 정보 만들기를 클릭한 후 API 키를 선택합니다. 
- Google Security Operations API에 대한 API 키 액세스를 제한합니다. 
웹훅 피드에 Jamf Protect 원격 분석 설정
- Jamf Protect 원격 분석 애플리케이션에서 관련 작업 구성으로 이동합니다.
- 새 데이터 엔드포인트를 추가하려면 작업 만들기를 클릭합니다.
- HTTP를 프로토콜로 선택합니다.
- URL 필드에 Google Security Operations API 엔드포인트의 HTTPS URL을 입력합니다. (웹훅 피드 설정에서 복사한 엔드포인트 정보 필드입니다.) 이미 필수 형식입니다.)
- 다음 형식의 커스텀 헤더의 일부로 API 키와 보안 비밀 키를 지정하여 인증을 사용 설정합니다. - X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRET- 권장사항: URL에 지정하는 대신 API 키를 헤더로 지정하세요. 웹훅 클라이언트가 커스텀 헤더를 지원하지 않는 경우 쿼리 파라미터를 다음 형식으로 사용하여 API 키와 보안 비밀 키를 지정할 수 있습니다. - ENDPOINT_URL?key=API_KEY&secret=SECRET- 다음을 바꿉니다. - ENDPOINT_URL: 피드 엔드포인트 URL입니다.
- API_KEY: Google Security Operations에 인증하기 위한 API 키입니다.
- SECRET: 피드를 인증하기 위해 생성한 보안 비밀 키입니다.
 
- 로그 수집 섹션에서 원격 분석을 선택합니다. 
- 제출을 클릭합니다. 
Google Security Operations 피드에 대한 자세한 내용은 Google Security Operations 피드 문서를 참조하세요. 각 피드 유형의 요구사항은 유형별 피드 구성을 참조하세요.
피드를 만들 때 문제가 발생하면 Google Security Operations 지원팀에 문의하세요.
지원되는 Jamf Protect 원격 분석 로그 유형
Jamf Protect 원격 분석 파서에서는 다음 로그 유형을 지원합니다.
Event Type
- AUE_add_to_group
- AUE_AUDITCTL
- AUE_AUDITON_SPOLICY
- AUE_AUTH_USER
- AUE_BIND
- AUE_BIOS_FIRMWARE_VERSIONS
- AUE_CHDIR
- AUE_CHROOT
- AUE_CONNECT
- AUE_create_group
- AUE_delete_group
- AUE_create_user
- AUE_delete_user
- AUE_EXECVE
- AUE_EXIT
- AUE_FORK
- AUE_GETAUID
- AUE_KILL
- AUE_LISTEN
- AUE_LOGOUT
- AUE_LW_LOGIN
- AUE_MAC_SET_PROC
- AUE_modify_group
- AUE_modify_password
- AUE_modify_user
- AUE_MOUNT
- AUE_openssh
- AUE_PIDFORTASK
- AUE_POSIX_SPAWN
- AUE_REMOVE_FROM_GROUP
- AUE_SESSION_CLOSE
- AUE_SESSION_END
- AUE_SESSION_START
- AUE_SESSION_UPDATE
- AUE_SETPRIORITY
- AUE_SETSOCKOPT
- AUE_SETTIMEOFDAY
- AUE_SHUTDOWN
- AUE_SOCKETPAIR
- AUE_SSAUTHINT
- AUE_SSAUTHMECH
- AUE_SSAUTHORIZE
- AUE_TASKFORPID
- AUE_TASKNAMEFORPID
- AUE_UNMOUNT
- AUE_WAIT4
- PLAINTEXT_LOG_COLLECTION_EVENT
- SYSTEM_PERFORMANCE_METRICS
지원되는 Jamf Protect 원격 분석 로그 형식
Jamf Protect 원격 분석 파서는 JSON 형식의 로그를 지원합니다.
지원되는 Jamf Protect 원격 분석 샘플 로그
- JSON - { "exec_chain": { "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E" }, "exec_chain_child": { "parent_path": "/sbin/launchd", "parent_pid": 1, "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02" }, "header": { "time_seconds_epoch": 1657906179, "time_milliseconds_offset": 848, "version": 11, "event_modifier": 0, "event_id": 45018, "event_name": "AUE_add_to_group" }, "host_info": { "serial_number": "C03WG0H4HDTS", "host_name": "Test_MacBook_Pro", "osversion": "Version 12.4 (Build 21F79)", "host_uuid": "8891C1E2-0AC0-4E4A-844B-EA491B14D115" }, "identity": { "signer_id": "dummy.domain.opendirectoryd", "team_id_truncated": false, "signer_id_truncated": false, "cd_hash": "68d22bdec020f20010bfa9d27cd5f69d78427636", "team_id": "", "signer_type": 1 }, "key": "21E48D3B-4965-4072-81BF-83BE04A329C2", "return": { "error": 0, "description": "success", "return_value": 0 }, "subject": { "session_id": 100003, "group_id": 20, "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice", "parent_pid": 1, "effective_user_name": "jamf", "user_id": 501, "group_name": "staff", "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02", "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E", "effective_group_id": 20, "process_hash": "507494616e05a5eb909794354fe69f29e432f2a7", "audit_id": 501, "responsible_process_id": 1391, "parent_path": "/sbin/launchd", "process_id": 1701, "effective_group_name": "staff", "audit_user_name": "jamf", "effective_user_id": 501, "terminal_id": { "type": 4, "ip_address": "198.51.100.0", "port": 4278 }, "responsible_process_name": "/System/Applications/System Preferences.app/Contents/MacOS/System Preferences", "user_name": "jamf" }, "texts": [ "Added Groups membership username to '_lpadmin' node '/Local/Default', value = 'baddie'" ] }
필드 매핑 참조
이 섹션에서는 Google Security Operations 파서에서 Jamf Protect 원격 분석 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.
필드 매핑 참조: 이벤트 식별자에서 이벤트 유형으로
다음 표에는JAMF_TELEMETRY 로그 유형과 해당 UDM 이벤트 유형이 나와 있습니다.
| Event Identifier | Event Type | 
|---|---|
| AUE_add_to_group | GROUP_MODIFICATION | 
| AUE_AUDITCTL | RESOURCE_READ | 
| AUE_AUDITON_SPOLICY | RESOURCE_READ | 
| AUE_AUTH_USER | USER_LOGIN | 
| AUE_BIND | NETWORK_CONNECTION | 
| AUE_BIOS_FIRMWARE_VERSIONS | USER_RESOURCE_ACCESS | 
| AUE_CHDIR | USER_RESOURCE_ACCESS | 
| AUE_CHROOT | USER_RESOURCE_ACCESS | 
| AUE_CONNECT | NETWORK_CONNECTION | 
| AUE_create_group | GROUP_CREATION | 
| AUE_delete_group | GROUP_DELETION | 
| AUE_create_user | USER_CREATION | 
| AUE_delete_user | USER_DELETION | 
| AUE_EXECVE | PROCESS_LAUNCH | 
| AUE_EXIT | PROCESS_TERMINATION | 
| AUE_FORK | PROCESS_LAUNCH | 
| AUE_GETAUID | SCHEDULED_TASK_CREATION | 
| AUE_KILL | PROCESS_TERMINATION | 
| AUE_LISTEN | NETWORK_CONNECTION | 
| AUE_LOGOUT | USER_LOGOUT | 
| AUE_LW_LOGIN | USER_LOGIN | 
| AUE_MAC_SET_PROC | PROCESS_UNCATEGORIZED | 
| AUE_modify_group | GROUP_MODIFICATION | 
| AUE_modify_password | USER_CHANGE_PASSWORD | 
| AUE_modify_user | USER_UNCATEGORIZED | 
| AUE_MOUNT | RESOURCE_READ | 
| AUE_openssh | USER_LOGIN | 
| AUE_PIDFORTASK | PROCESS_LAUNCH | 
| AUE_POSIX_SPAWN | PROCESS_LAUNCH | 
| AUE_REMOVE_FROM_GROUP | GROUP_MODIFICATION | 
| AUE_SESSION_CLOSE | USER_LOGOUT | 
| AUE_SESSION_END | USER_LOGOUT | 
| AUE_SESSION_START | USER_LOGIN | 
| AUE_SESSION_UPDATE | USER_UNCATEGORIZED | 
| AUE_SETPRIORITY | SETTING_MODIFICATION | 
| AUE_SETSOCKOPT | NETWORK_CONNECTION | 
| AUE_SETTIMEOFDAY | SETTING_MODIFICATION | 
| AUE_SHUTDOWN | STATUS_SHUTDOWN | 
| AUE_SOCKETPAIR | NETWORK_CONNECTION | 
| AUE_SSAUTHINT | USER_LOGIN | 
| AUE_SSAUTHMECH | USER_LOGIN | 
| AUE_SSAUTHORIZE | USER_LOGIN | 
| AUE_TASKFORPID | PROCESS_INJECTION | 
| AUE_TASKNAMEFORPID | PROCESS_INJECTION | 
| AUE_UNMOUNT | RESOURCE_READ | 
| AUE_WAIT4 | PROCESS_UNCATEGORIZED | 
| PLAINTEXT_LOG_COLLECTION_EVENT | GENERIC_EVENT | 
| SYSTEM_PERFORMANCE_METRICS | GENERIC_EVENT | 
필드 매핑 참조: JAMF_TELEMETRY
다음 표에는JAMF_TELEMETRY 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
| Log field | UDM mapping | Logic | 
|---|---|---|
|  | metadata.event_type | |
|  | metadata.product_name | The metadata.product_nameUDM field is set toJAMF_TELEMETRY. | 
|  | metadata.vendor_name | The metadata.vendor_nameUDM field is set toJAMF. | 
| header.time_seconds_epoch | metadata.event_timestamp | |
| header.time_milliseconds_offset | about.labels[time_milliseconds_offset](deprecated) | |
| header.time_milliseconds_offset | additional.fields[time_milliseconds_offset] | |
| header.version | about.labels[header_version](deprecated) | |
| header.version | additional.fields[header_version] | |
| header.event_modifier | about.labels[event_modifier](deprecated) | |
| header.event_modifier | additional.fields[event_modifier] | |
| header.event_uuid | metadata.product_log_id | |
| header.event_name,header.event_id | metadata.product_event_type | If the header.event_nameandheader.event_idlog field values are not empty, then theheader.event_name-header.event_idlog fields are mapped to themetadata.product_event_typeUDM field.Else, if the header.event_namelog field value is not empty, then theheader.event_namelog field is mapped to themetadata.product_event_typeUDM field.Else, if the header.event_idlog field value is not empty, then theheader.event_idlog field is mapped to themetadata.product_event_typeUDM field. | 
| exec_chain.thread_uuid | principal.labels[exec_chain_thread_uuid](deprecated) | |
| exec_chain.thread_uuid | additional.fields[exec_chain_thread_uuid] | |
| exec_chain.uuid | principal.labels[exec_chain_uuid](deprecated) | |
| exec_chain.uuid | additional.fields[exec_chain_uuid] | |
| exec_chain_child.parent_path | principal.process.parent_process.file.full_path | |
| exec_chain_child.parent_pid | principal.process.parent_process.pid | |
| exec_chain_child.parent_uuidsubject.parent(deprecated) | principal.labels[exec_chain_child_parent_uuid] | |
| exec_chain_child.parent_uuid | additional.fields[exec_chain_child_parent_uuid] | |
| host_info.serial_number | principal.asset.hardware.serial_number | |
| host_info.host_name | principal.hostname | |
| host_info.osversion | principal.asset.software.version | |
| host_info.host_uuid | principal.asset.product_object_id | |
| host_info.primary_mac_address | principal.asset.mac | |
| identity.signer_id | principal.labels[identity_signer_id](deprecated) | |
| identity.signer_id | additional.fields[identity_signer_id] | |
| identity.team_id_truncated | principal.labels[identity_team_id_truncated](deprecated) | |
| identity.team_id_truncated | additional.fields[identity_team_id_truncated] | |
| identity.signer_id_truncated | principal.labels[identity_signer_id_truncated](deprecated) | |
| identity.signer_id_truncated | additional.fields[identity_signer_id_truncated] | |
| identity.cd_hash | principal.labels[identity_cd_hash](deprecated) | |
| identity.cd_hash | additional.fields[identity_cd_hash] | |
| identity.team_id | principal.labels[team_id](deprecated) | |
| identity.team_id | additional.fields[team_id] | |
| identity.signer_type | principal.labels[signer_type](deprecated) | |
| identity.signer_type | additional.fields[signer_type] | |
| key | about.labels[key](deprecated) | |
| key | additional.fields[key] | |
| return.error,return.description | security_result.description | If the return.errorandreturn.descriptionlog field values are not empty, then thereturn.error-return.descriptionlog fields are mapped to thesecurity_result.descriptionUDM field.Else, if the return.errorlog field value is not empty, then thereturn.errorlog field is mapped to thesecurity_result.descriptionUDM field.Else, if the return.descriptionlog field value is not empty, then thereturn.descriptionlog field is mapped to thesecurity_result.descriptionUDM field. | 
| return.return_value | security_result.detection_fields | |
| subject.session_id | network.session_id | |
| subject.group_id | principal.user.group_identifiers | If the header.event_namelog field value contains one of the following values, then thesubject.group_idlog field is mapped to thetarget.user.group_identifiersUDM field:
 Else, the subject.group_idlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| subject.effective_group_id | target.user.group_identifiers | If the header.event_namelog field value does not contain one of the following values, then thesubject.effective_group_idlog field is mapped to thetarget.user.group_identifiersUDM field:
 | 
| subject.group_name | principal.group.group_display_name | If the header.event_namelog field value contains one of the following values, then thesubject.group_namelog field is mapped to thetarget.group.group_display_nameUDM field:
 Else, the subject.group_namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| subject.effective_group_name | target.group.group_display_name | If the header.event_namelog field value does not contain one of the following values, then thesubject.effective_group_namelog field is mapped to thetarget.group.group_display_nameUDM field:
 | 
| subject.user_name | principal.user.user_display_name | If the header.event_namelog field value contains one of the following values,  then thesubject.user_namelog field is mapped to thetarget.user.user_display_nameUDM field:
 Else, the subject.user_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| subject.effective_user_name | target.user.user_display_name | If the header.event_namelog field value does not contain one of the following values,  then thesubject.effective_user_namelog field is mapped to thetarget.user.user_display_nameUDM field:
 | 
| subject.user_id | principal.user.userid | If the header.event_namelog field value contains one of the following values, then thesubject.user_idlog field is mapped to thetarget.user.useridUDM field:
 Else, the subject.user_idlog field is mapped to theprincipal.user.useridUDM field. | 
| subject.effective_user_id | target.user.userid | If the header.event_namelog field value does not contain one of the following values, then thesubject.effective_user_idlog field is mapped to thetarget.user.useridUDM field:
 | 
| subject.audit_id | principal.labels[audit_id](deprecated) | |
| subject.audit_id | additional.fields[audit_id] | |
| subject.responsible_process_id,metrics.tasks.pid | principal.process.pid | If the header.event_namelog field value is equal toSYSTEM_PERFORMANCE_METRICS, then themetrics.tasks.pidlog field is mapped to theprincipal.process.pidUDM field.Else, the subject.responsible_process_idlog field is mapped to theprincipal.process.pidUDM field. | 
| subject.process_id | principal.process_ancestors.pid | If the subject.responsible_process_idlog field value is not empty, then thesubject.process_idlog field is mapped to theprincipal.process_ancestors.pidUDM field.Else, the subject.process_idlog field is mapped to theprincipal.process.pidUDM field. | 
| subject.audit_user_name | principal.labels[audit_user_name](deprecated) | |
| subject.audit_user_name | additional.fields[audit_user_name] | |
| subject.process_name | principal.process_ancestors.file.full_path  | If the subject.responsible_process_namelog field value is not empty, then thesubject.process_namelog field is mapped to theprincipal.process_ancestors.file.full_pathUDM field.Else, the subject.process_namelog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| subject.responsible_process_name | principal.process.file.full_path  | |
| subject.process_hash | principal.process.file.sha1 | |
| subject.terminal_id.type | principal.labels[type](deprecated) | If the subject.terminal_id.typelog field value is equal to4, then theprincipal.labels.keyUDM field is set tosubject_terminal_id_typeand theprincipal.labels.valueUDM field is set to4-IPv4.Else, if the subject.terminal_id.typelog field value is equal to6, then theprincipal.labels.keyUDM field is set tosubject_terminal_id_typeand theprincipal.labels.valueUDM field is set to6-IPv6.Else, the principal.labels.keyUDM field is set tosubject_terminal_id_typeand thesubject.terminal_id.typelog field is mapped to theprincipal.labels.valueUDM field. | 
| subject.terminal_id.type | additional.fields[type] | If the subject.terminal_id.typelog field value is equal to4, then theadditional.fields.keyUDM field is set tosubject_terminal_id_typeand theadditional.fields.value.string_valueUDM field is set to4-IPv4.Else, if the subject.terminal_id.typelog field value is equal to6, then theadditional.fields.keyUDM field is set tosubject_terminal_id_typeand theadditional.fields.value.string_valueUDM field is set to6-IPv6.Else, the additional.fields.keyUDM field is set tosubject_terminal_id_typeand thesubject.terminal_id.typelog field is mapped to theadditional.fields.value.string_valueUDM field. | 
| subject.terminal_id.ip_address | principal.ip | |
| subject.terminal_id.port | principal.port | |
| texts | metadata.description | If the indexvalue is equal to0, then thetextslog field is mapped to themetadata.descriptionUDM field.Else, the textslog field is mapped to theabout.labels.valueUDM field. | 
| attributes.device | principal.asset.attribute.labels[device] | |
| attributes.owner_group_name | about.group.group_display_name | |
| attributes.owner_group_id | about.user.group_identifiers | |
| attributes.owner_user_id | about.user.userid | |
| attributes.owner_user_name | about.user.user_display_name | |
| attributes.file_system_id | principal.labels[attributes_file_system_id](deprecated) | |
| attributes.file_system_id | additional.fields[attributes_file_system_id] | |
| attributes.file_access_mode | principal.labels[attributes_file_access_mode](deprecated) | |
| attributes.file_access_mode | additional.fields[attributes_file_access_mode] | |
| attributes.node_id | principal.asset.asset_id | |
| path | about.labels[path] | |
| arguments.cmd | principal.labels[arguments_cmd](deprecated) | |
| arguments.cmd | additional.fields[arguments_cmd] | |
| arguments.policy | principal.labels[arguments_policy](deprecated) | |
| arguments.policy | additional.fields[arguments_policy] | |
| arguments.length | principal.labels[arguments_length](deprecated) | |
| arguments.length | additional.fields[arguments_length] | |
| _event_score | security_result.severity_details | |
| architecture | principal.asset.hardware.cpu_model | |
| arguments.addr | principal.labels[arguments_addr](deprecated) | |
| arguments.addr | additional.fields[arguments_addr] | |
| arguments.am_failure | principal.labels[arguments_am_failure](deprecated) | |
| arguments.am_failure | additional.fields[arguments_am_failure] | |
| arguments.am_success | principal.labels[arguments_am_success](deprecated) | |
| arguments.am_success | additional.fields[arguments_am_success] | |
| arguments.authenticated_as_test | principal.labels[arguments_authenticated_as_test](deprecated) | |
| arguments.authenticated_as_test | additional.fields[arguments_authenticated_as_test] | |
| arguments.child_PID | principal.labels[arguments_child_PID](deprecated) | |
| arguments.child_PID | additional.fields[arguments_child_PID] | |
| arguments.data | principal.labels[arguments_data](deprecated) | |
| arguments.data | additional.fields[arguments_data] | |
| arguments.domain | principal.labels[arguments_domain](deprecated) | |
| arguments.domain | additional.fields[arguments_domain] | |
| arguments.fd | principal.labels[arguments_fd](deprecated) | |
| arguments.fd | additional.fields[arguments_fd] | |
| arguments.flags | principal.labels[arguments_flags](deprecated) | |
| arguments.flags | additional.fields[arguments_flags] | |
| arguments.authenticated_as_allen.golbig | principal.labels[authenticated_as_allen_golbig](deprecated) | |
| arguments.authenticated_as_allen.golbig | additional.fields[authenticated_as_allen_golbig] | |
| arguments.known_UID_ | principal.labels[argument_known_uid](deprecated) | |
| arguments.known_UID_ | additional.fields[argument_known_uid] | |
| arguments.pid | principal.labels[arguments_pid](deprecated) | |
| arguments.pid | additional.fields[arguments_pid] | |
| arguments.port | principal.labels[arguments_port](deprecated) | |
| arguments.port | additional.fields[arguments_port] | |
| arguments.priority | security_result.priority_details | |
| arguments.process | principal.labels[argument_process](deprecated) | |
| arguments.process | additional.fields[argument_process] | |
| arguments.protocol | principal.labels[argument_protocol](deprecated) | |
| arguments.protocol | additional.fields[argument_protocol] | |
| arguments.request | principal.labels[argument_request](deprecated) | |
| arguments.request | additional.fields[argument_request] | |
| arguments.sflags | principal.labels[arguments_sflags](deprecated) | |
| arguments.sflags | additional.fields[arguments_sflags] | |
| arguments.signal | principal.labels[argument_signal](deprecated) | |
| arguments.signal | additional.fields[argument_signal] | |
| arguments.target_port,process.terminal_id.port,socket_inet.port | target.port | If the header.event_namelog field value is equal toAUE_KILLorAUE_TASKFORPID, then theprocess.portlog field is mapped to thetarget.portUDM field.Else, if the header.event_namelog field value is equal toAUE_BINDorAUE_CONNECT, then thesocket_inet.portlog field is mapped to thetarget.portUDM field.Else, the agument.target_portlog field is mapped to thetarget.portUDM field. | 
| arguments.task_port | principal.labels[task_port](deprecated) | |
| arguments.task_port | additional.fields[task_port] | |
| arguments.type | principal.labels[argument_type](deprecated) | |
| arguments.type | additional.fields[argument_type] | |
| arguments.which | principal.labels[which](deprecated) | |
| arguments.which | additional.fields[which] | |
| arguments.who | principal.labels[who](deprecated) | |
| arguments.who | additional.fields[who] | |
| bios_firmware_versions.booter-version | principal.asset.attribute.labels[booter_version] | |
| bios_firmware_versions.firmware-features | principal.asset.attribute.labels[firmware_features] | |
| bios_firmware_versions.firmware-version | principal.asset.attribute.labels[firmware_version] | |
| bios_firmware_versions.release-date | principal.asset.attribute.labels[release_date] | |
| bios_firmware_versions.rom-size | principal.asset.attribute.labels[rom_size] | |
| bios_firmware_versions.system-firmware-version | principal.asset.attribute.labels[system_firmware_version] | |
| bios_firmware_versions.vendor | principal.asset.attribute.labels[vendor] | |
| bios_firmware_versions.version | principal.asset.attribute.labels[version] | |
| exec_args.args_compiled | principal.process.command_line | |
| exec_chain_parent.uuid | principal.labels[parent_uuid](deprecated) | |
| exec_chain_parent.uuid | additional.fields[parent_uuid] | |
| exec_env.env_compiled | about.labels[env_compiled](deprecated) | |
| exec_env.env_compiled | additional.fields[env_compiled] | |
| exec_env.env.PATH | about.labels[env_path](deprecated) | |
| exec_env.env.PATH | additional.fields[env_path] | |
| exit.return_value | principal.labels[return_value](deprecated) | |
| exit.return_value | additional.fields[return_value] | |
| exit.status | principal.labels[exit_status](deprecated) | |
| exit.status | additional.fields[exit_status] | |
| process.audit_id | about.labels[process_audit_id](deprecated) | |
| process.audit_id | additional.fields[process_audit_id] | |
| process.audit_user_name | about.labels[audit_user_name](deprecated) | |
| process.audit_user_name | additional.fields[audit_user_name] | |
| process.group_idprocess.effective_group_id | about.user.group_identifiers | |
| process.group_name | about.group.group_display_name | |
| process.process_hash | target.process.file.sha1 | |
| process.process_id | target.process.pid | |
| process.process_name | target.process.file.full_path | |
| process.session_id | target.labels[process_session_id](deprecated) | |
| process.session_id | additional.fields[process_session_id] | |
| process.terminal_id.addr | target.labels[addr] | |
| process.terminal_id.ip_address | target.ip | |
| process.terminal_id.type | target.labels[process_terminal_id_type](deprecated) | If the process.terminal_id.typelog field value is equal to4, then thetarget.labels.keyUDM field is set toprocess_terminal_id_typeand thetarget.labels.valueUDM field is set to4-IPv4.Else, if the subject.terminal_id.typelog field value is equal to6, then thetarget.labels.keyUDM field is set toprocess_terminal_id_typeand thetarget.labels.valueUDM field is set to6-IPv6.Else, the target.labels.keyUDM field is set toprocess_terminal_id_typeand theprocess.terminal_id.typelog field is mapped to thetarget.labels.valueUDM field. | 
| process.terminal_id.type | additional.fields[process_terminal_id_type] | If the process.terminal_id.typelog field value is equal to4, then theadditional.fields.keyUDM field is set toprocess_terminal_id_typeand theadditional.fields.value.string_valueUDM field is set to4-IPv4.Else, if the subject.terminal_id.typelog field value is equal to6, then theadditional.fields.keyUDM field is set toprocess_terminal_id_typeand theadditional.fields.value.string_valueUDM field is set to6-IPv6.Else, the additional.fields.keyUDM field is set toprocess_terminal_id_typeand theprocess.terminal_id.typelog field is mapped to theadditional.fields.value.string_valueUDM field. | 
| process.user_id | about.user.userid | |
| process.user_name | about.user.user_display_name | |
| rateLimitingSeconds | about.labels[rate_limiting_seconds](deprecated) | |
| rateLimitingSeconds | additional.fields[rate_limiting_seconds] | |
| socket_inet.family | target.labels[socket_inet_family](deprecated) | |
| socket_inet.family | additional.fields[socket_inet_family] | |
| socket_inet.id | target.labels[socket_inet_id](deprecated) | If the socket_inet.idlog field value is equal to128, then thetarget.labels.keyUDM field is set tosocket_inet_idand thetarget.labels.valueUDM field is set to128-IPv4.Else, if the socket_inet.idlog field value is equal to129, then thetarget.labels.keyUDM field is set tosocket_inet_idand thetarget.labels.valueUDM field is set to129-IPv6.Else, the target.labels.keyUDM field is set tosocket_inet_idand thesocket_inet.iplog field is mapped to thetarget.labels.valueUDM field. | 
| socket_inet.id | additional.fields[socket_inet_id] | If the socket_inet.idlog field value is equal to128, then theadditional.fields.keyUDM field is set tosocket_inet_idand theadditional.fields.value.string_valueUDM field is set to128-IPv4.Else, if the socket_inet.idlog field value is equal to129, then theadditional.fields.keyUDM field is set tosocket_inet_idand theadditional.fields.value.string_valueUDM field is set to129-IPv6.Else, the additional.fields.keyUDM field is set tosocket_inet_idand thesocket_inet.iplog field is mapped to theadditional.fields.value.string_valueUDM field. | 
| socket_inet.ip_address | target.ip | |
| socket_unix.family | target.labels[socket_unix_family](deprecated) | |
| socket_unix.family | additional.fields[socket_unix_family] | |
| socket_unix.path | target.file.full_path | |
| subject.terminal_id.addr | target.labels[addr] | |
| metrics.hw_model | principal.asset.hardware.model | |
| metrics.tasks.bytes_received | network.received_bytes | If the indexvalue is equal to0, then themetrics.tasks.bytes_receivedlog field is mapped to thenetwork.received_bytesUDM field.Else, the metrics.tasks.bytes_receivedlog field is mapped to theprincipal.asset.attribute.labels.valueUDM field. | 
| metrics.tasks.bytes_received_per_s | principal.asset.attribute.labels[bytes_received_per_s] | |
| metrics.tasks.bytes_sent | network.sent_bytes | If the indexvalue is equal to0, then themetrics.tasks.bytes_sentlog field is mapped to thenetwork.sent_bytesUDM field.Else, the metrics.tasks.bytes_sentlog field is mapped to theprincipal.asset.attribute.labels.valueUDM field. | 
| metrics.tasks.bytes_sent_per_s | principal.asset.attribute.labels[bytes_sent_per_s] | |
| metrics.tasks.cputime_ms_per_s | principal.asset.attribute.labels[cputime_ms_per_s] | |
| metrics.tasks.cputime_ns | principal.asset.attribute.labels[cputime_ns] | |
| metrics.tasks.cputime_sample_ms_per_s | principal.asset.attribute.labels[cputime_sample_ms_per_s] | |
| metrics.tasks.cputime_userland_ratio | principal.asset.attribute.labels[cputime_userland_ratio] | |
| metrics.tasks.diskio_bytesread | principal.asset.attribute.labels[diskio_bytesread] | |
| metrics.tasks.diskio_bytesread_per_s | principal.asset.attribute.labels[diskio_bytesread_per_s] | |
| metrics.tasks.diskio_byteswritten | principal.asset.attribute.labels[diskio_byteswritten] | |
| metrics.tasks.diskio_byteswritten_per_s | principal.asset.attribute.labels[diskio_byteswritten_per_s] | |
| metrics.tasks.energy_impact | principal.asset.attribute.labels[energy_impact] | |
| metrics.tasks.energy_impact_per_s | principal.asset.attribute.labels[energy_impact_per_s] | |
| metrics.tasks.idle_wakeups | principal.asset.attribute.labels[idle_wakeups] | |
| metrics.tasks.interval_ns | principal.asset.attribute.labels[interval_ns] | |
| metrics.tasks.intr_wakeups_per_s | principal.asset.attribute.labels[intr_wakeups_per_s] | |
| metrics.tasks.name | principal.asset.attribute.labels[name] | |
| metrics.tasks.packets_received | network.received_packets | If the indexvalue is equal to0, then themetrics.tasks.packets_receivedlog field is mapped to thenetwork.received_packetsUDM field.Else, the metrics.tasks.packets_receivedlog field is mapped to theprincipal.asset.attribute.labels.valueUDM field. | 
| metrics.tasks.packets_received_per_s | principal.asset.attribute.labels[packets_received_per_s] | |
| metrics.tasks.packets_sent | network.sent_packets | If the indexvalue is equal to0, then themetrics.tasks.packets_sentlog field is mapped to thenetwork.sent_packetsUDM field.Else, the metrics.tasks.packets_sentlog field is mapped to theprincipal.asset.attribute.labels.valueUDM field. | 
| metrics.tasks.packets_sent_per_s | principal.asset.attribute.labels[packets_sent_per_s] | |
| metrics.tasks.pageins | principal.asset.attribute.labels[pageins] | |
| metrics.tasks.pageins_per_s | principal.asset.attribute.labels[pageins_per_s] | |
| metrics.tasks.qos_background_ms_per_s | principal.asset.attribute.labels[qos_background_ms_per_s] | |
| metrics.tasks.qos_background_ns | principal.asset.attribute.labels[qos_background_ns] | |
| metrics.tasks.qos_default_ms_per_s | principal.asset.attribute.labels[qos_default_ms_per_s] | |
| metrics.tasks.qos_default_ns | principal.asset.attribute.labels[qos_default_ns] | |
| metrics.tasks.qos_disabled_ms_per_s | principal.asset.attribute.labels[qos_disabled_ms_per_s] | |
| metrics.tasks.qos_disabled_ns | principal.asset.attribute.labels[qos_disabled_ns] | |
| metrics.tasks.qos_maintenance_ms_per_s | principal.asset.attribute.labels[qos_maintenance_ms_per_s] | |
| metrics.tasks.qos_maintenance_ns | principal.asset.attribute.labels[qos_maintenance_ns] | |
| metrics.tasks.qos_user_initiated_ms_per_s | principal.asset.attribute.labels[qos_user_initiated_ms_per_s] | |
| metrics.tasks.qos_user_initiated_ns | principal.asset.attribute.labels[qos_user_initiated_ns] | |
| metrics.tasks.qos_user_interactive_ms_per_s | principal.asset.attribute.labels[qos_user_interactive_ms_per_s] | |
| metrics.tasks.qos_user_interactive_ns | principal.asset.attribute.labels[qos_user_interactive_ns] | |
| metrics.tasks.qos_utility_ms_per_s | principal.asset.attribute.labels[qos_utility_ms_per_s] | |
| metrics.tasks.qos_utility_ns | principal.asset.attribute.labels[qos_utility_ns] | |
| metrics.tasks.started_abstime_ns | principal.asset.attribute.labels[started_abstime_ns] | |
| metrics.tasks.timer_wakeups.wakeups | principal.asset.attribute.labels[timer_wakeups] | |
| page_info.page | about.labels[page_info_page](deprecated) | |
| page_info.page | additional.fields[page_info_page] | |
| page_info.total | about.labels[page_info_total](deprecated) | |
| page_info.total | additional.fields[page_info_total] | |
| exec_env.env._ | about.labels[env](deprecated) | |
| exec_env.env._ | additional.fields[env] | |
| exec_env.env.__CF_USER_TEXT_ENCODING | about.labels[env__CF_USER_TEXT_ENCODING](deprecated) | |
| exec_env.env.__CF_USER_TEXT_ENCODING | additional.fields[env__CF_USER_TEXT_ENCODING] | |
| exec_env.env.__CFBundleIdentifier | about.labels[env__CFBundleIdentifier](deprecated) | |
| exec_env.env.__CFBundleIdentifier | additional.fields[env__CFBundleIdentifier] | |
| exec_env.env.ASDF_DIR | about.labels[env_ASDF_DIR](deprecated) | |
| exec_env.env.ASDF_DIR | additional.fields[env_ASDF_DIR] | |
| exec_env.env.HOME | about.labels[env_HOME](deprecated) | |
| exec_env.env.HOME | additional.fields[env_HOME] | |
| exec_env.env.LANG | about.labels[env_LANG](deprecated) | |
| exec_env.env.LANG | additional.fields[env_LANG] | |
| exec_env.env.LC_TERMINAL | about.labels[env_LC_TERMINAL](deprecated) | |
| exec_env.env.LC_TERMINAL | additional.fields[env_LC_TERMINAL] | |
| exec_env.env.LC_TERMINAL_VERSION | about.labels[env_LC_TERMINAL_VERSION](deprecated) | |
| exec_env.env.LC_TERMINAL_VERSION | additional.fields[env_LC_TERMINAL_VERSION] | |
| exec_env.env.MAIL | about.labels[env_MAIL](deprecated) | |
| exec_env.env.MAIL | additional.fields[env_MAIL] | |
| exec_env.env.MallocSpaceEfficient | about.labels[env_MallocSpaceEfficient](deprecated) | |
| exec_env.env.MallocSpaceEfficient | additional.fields[env_MallocSpaceEfficient] | |
| exec_env.env.OLDPWD | about.labels[env_OLDPWD](deprecated) | |
| exec_env.env.OLDPWD | additional.fields[env_OLDPWD] | |
| exec_env.env.PWD | about.file.full_path | |
| exec_env.env.SHELL | about.labels[env_SHELL](deprecated) | |
| exec_env.env.SHELL | additional.fields[env_SHELL] | |
| exec_env.env.SHLVL | about.labels[env_SHLVL](deprecated) | |
| exec_env.env.SHLVL | additional.fields[env_SHLVL] | |
| exec_env.env.SSH_AUTH_SOCK | about.labels[env_SSH_AUTH_SOCK](deprecated) | |
| exec_env.env.SSH_AUTH_SOCK | additional.fields[env_SSH_AUTH_SOCK] | |
| exec_env.env.SSH_CLIENT | about.labels[env_SSH_CLIENT](deprecated) | |
| exec_env.env.SSH_CLIENT | additional.fields[env_SSH_CLIENT] | |
| exec_env.env.SSH_CONNECTION | about.labels[env_SSH_CONNECTION](deprecated) | |
| exec_env.env.SSH_CONNECTION | additional.fields[env_SSH_CONNECTION] | |
| exec_env.env.SSH_TTY | about.labels[env_SSH_TTY](deprecated) | |
| exec_env.env.SSH_TTY | additional.fields[env_SSH_TTY] | |
| exec_env.env.SUDO_COMMAND | about.labels[env_SUDO_COMMAND](deprecated) | |
| exec_env.env.SUDO_COMMAND | additional.fields[env_SUDO_COMMAND] | |
| exec_env.env.SUDO_GID | about.user.group_identifiers | |
| exec_env.env.SUDO_UID | about.user.userid | |
| exec_env.env.SUDO_USER | about.user.user_display_name | |
| exec_env.env.TERM | about.labels[env_TERM](deprecated) | |
| exec_env.env.TERM | additional.fields[env_TERM] | |
| exec_env.env.LOGNAME | about.labels[env_LOGNAME](deprecated) | |
| exec_env.env.LOGNAME | additional.fields[env_LOGNAME] | |
| exec_env.env.USER | about.labels[env_USER](deprecated) | |
| exec_env.env.USER | additional.fields[env_USER] | |
| exec_env.env.TERM_PROGRAM | about.labels[env_TERM_PROGRAM](deprecated) | |
| exec_env.env.TERM_PROGRAM | additional.fields[env_TERM_PROGRAM] | |
| exec_env.env.TERM_PROGRAM_VERSION | about.labels[env_TERM_PROGRAM_VERSION](deprecated) | |
| exec_env.env.TERM_PROGRAM_VERSION | additional.fields[env_TERM_PROGRAM_VERSION] | |
| exec_env.env.TERM_SESSION_ID | about.labels[env_TERM_SESSION_ID](deprecated) | |
| exec_env.env.TERM_SESSION_ID | additional.fields[env_TERM_SESSION_ID] | |
| exec_env.env.TMPDIR | about.labels[env_TMPDIR](deprecated) | |
| exec_env.env.TMPDIR | additional.fields[env_TMPDIR] | |
| exec_env.env.XPC_FLAGS | about.labels[env_XPC_FLAGS](deprecated) | |
| exec_env.env.XPC_FLAGS | additional.fields[env_XPC_FLAGS] | |
| exec_env.env.XPC_SERVICE_NAME | about.labels[env_XPC_SERVICE_NAME](deprecated) | |
| exec_env.env.XPC_SERVICE_NAME | additional.fields[env_XPC_SERVICE_NAME] | |
|  | target.resource.resource_type | If the header.event_namelog field value is equal toAUE_GETAUID, then thetarget.resource.resource_typeUDM field is set toTASK.Else, if the header.event_namelog field value is equal toAUE_SETPRIORITY or AUE_SETTIMEOFDAY, then thetarget.resource.resource_typeUDM field is set toSETTING. | 
|  | extensions.auth.mechanism | If the header.event_namelog field value contains one of the following values,  then themechanismUDM field is set toUSERNAME_PASSWORD:
 | 
다음 단계
도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가로부터 답변을 받으세요.