本頁面由 Cloud Translation API 翻譯而成。

收集 Jamf Protect 遙測記錄

支援的國家/地區：

Google SecOps SIEM

本文說明如何設定 Google Security Operations 資訊提供，收集 Jamf Protect Telemetry 記錄，以及如何將記錄欄位對應至 Google Security Operations Unified Data Model (UDM) 欄位。本文也列出支援的 Jamf Protect Telemetry 版本。

詳情請參閱「將資料擷取至 Google Security Operations」。

一般部署作業包含 Jamf Protect 遙測和 Google Security Operations 資訊饋給，後者會設定為將記錄傳送至 Google Security Operations。每個客戶的部署作業可能有所不同，也可能更複雜。

部署作業包含下列元件：

Jamf Protect 遙測。您要從哪個 Jamf Protect Telemetry 平台收集記錄。
Google Security Operations 摘要。Google Security Operations 資訊提供，可從 Jamf Protect Telemetry 擷取記錄，並將記錄寫入 Google Security Operations。
Google Security Operations。Google Security Operations 會保留及分析 Jamf Protect Telemetry 的記錄。

擷取標籤會識別剖析器，該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 JAMF_TELEMETRY 攝入標籤的剖析器。

事前準備

請確認您已完成下列事前準備事項：

Jamf Protect 遙測資料設定
Jamf Protect 4.0.0 以上版本
部署架構中的所有系統都已設定為世界標準時間時區。

依序前往「SIEM 設定」>「動態消息」設定動態消息

您可以使用 Amazon S3 V2 或 Webhook，在 Google Security Operations 中設定擷取動態饋給。

使用 Amazon S3 V2 在 Google SecOps 中設定擷取動態饋給

依序前往「SIEM 設定」>「動態饋給」。
按一下「新增動態消息」。
按一下 JAMF 動態饋給套件。
找出「Jamf Protect Telemetry」記錄類型。
選取「Amazon S3 V2」做為「來源類型」。
為下列欄位指定值：
- S3 URI：bucket URI。
  - s3://your-log-bucket-name/
    - 請將 your-log-bucket-name 替換為 S3 值區的實際名稱。
- 來源刪除選項：根據擷取偏好設定選取刪除選項。
- 存取金鑰 ID：具備 S3 值區讀取權限的使用者存取金鑰。
- 檔案存在時間上限：包含在過去天數內修改的檔案。預設值為 180 天。
- 存取密鑰：使用者的存取密鑰，具備從 S3 bucket 讀取的權限。
進階選項
- 動態饋給名稱：系統預先填入的值，用於識別動態饋給。
- 資產命名空間：與動態饋給相關聯的命名空間。
- 擷取標籤：套用至這個動態饋給所有事件的標籤。
按一下「建立動態饋給」。

使用 Webhook 在 Google SecOps 中設定擷取動態饋給

依序前往「SIEM 設定」>「動態饋給」。
按一下「新增動態消息」。
按一下 JAMF 動態饋給套件。
找出「Jamf Protect Telemetry」記錄類型。
在「Source type」(來源類型) 清單中，選取「Webhook」(Webhook)。
為下列欄位指定值：
- 分割分隔符號：用於分隔記錄行的分隔符號，例如 \n。
- 資產命名空間：資產命名空間。
- 擷取標籤：要套用至這個動態饋給事件的標籤。
按一下「建立動態饋給」。

如要為這個產品系列中的不同記錄類型設定多個動態饋給，請參閱「依產品設定動態饋給」。

為 Webhook 動態饋給建立 API 金鑰

依序前往 Google Cloud 控制台 >「憑證」。

前往「憑證」
按一下 [Create credentials] (建立憑證)，然後選取 [API key] (API 金鑰)。
將 API 金鑰存取權限制在 Google Security Operations API。

為 Webhook 饋給設定 Jamf Protect 遙測資料

在 Jamf Protect Telemetry 應用程式中，前往相關的「Action configuration」。
如要新增資料端點，請按一下「建立動作」。
選取「HTTP」做為通訊協定。
在「URL」欄位中，輸入 Google Security Operations API 端點的 HTTPS 網址。(這是您從 Webhook 摘要設定複製的「端點資訊」欄位。(已採用必要格式)。
指定 API 金鑰和密鑰，以啟用驗證，格式如下：
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
建議：請將 API 金鑰指定為標頭，而非在網址中指定。如果 Webhook 用戶端不支援自訂標頭，您可以使用查詢參數指定 API 金鑰和密鑰，格式如下：
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```
更改下列內容：
- ENDPOINT_URL：動態消息端點網址。
- API_KEY：用於向 Google Security Operations 進行驗證的 API 金鑰。
- SECRET：您產生的密鑰，用於驗證動態消息。
在「收集記錄」部分中，選取「遙測」。
按一下「提交」。

如要進一步瞭解 Google Security Operations 動態消息，請參閱 Google Security Operations 動態消息說明文件。如要瞭解各動態饋給類型的規定，請參閱「依類型設定動態饋給」。

如果在建立動態饋給時遇到問題，請與 Google Security Operations 支援團隊聯絡。

支援的 Jamf Protect 遙測記錄類型

Jamf Protect Telemetry 剖析器支援下列記錄類型：

Event Type

AUE_add_to_group
AUE_AUDITCTL
AUE_AUDITON_SPOLICY
AUE_AUTH_USER
AUE_BIND
AUE_BIOS_FIRMWARE_VERSIONS
AUE_CHDIR
AUE_CHROOT
AUE_CONNECT
AUE_create_group
AUE_delete_group
AUE_create_user
AUE_delete_user
AUE_EXECVE
AUE_EXIT
AUE_FORK
AUE_GETAUID
AUE_KILL
AUE_LISTEN
AUE_LOGOUT
AUE_LW_LOGIN
AUE_MAC_SET_PROC
AUE_modify_group
AUE_modify_password
AUE_modify_user
AUE_MOUNT
AUE_openssh
AUE_PIDFORTASK
AUE_POSIX_SPAWN
AUE_REMOVE_FROM_GROUP
AUE_SESSION_CLOSE
AUE_SESSION_END
AUE_SESSION_START
AUE_SESSION_UPDATE
AUE_SETPRIORITY
AUE_SETSOCKOPT
AUE_SETTIMEOFDAY
AUE_SHUTDOWN
AUE_SOCKETPAIR
AUE_SSAUTHINT
AUE_SSAUTHMECH
AUE_SSAUTHORIZE
AUE_TASKFORPID
AUE_TASKNAMEFORPID
AUE_UNMOUNT
AUE_WAIT4
PLAINTEXT_LOG_COLLECTION_EVENT
SYSTEM_PERFORMANCE_METRICS

支援的 Jamf Protect 遙測記錄格式

Jamf Protect Telemetry 剖析器支援 JSON 格式的記錄。

支援的 Jamf Protect 遙測資料記錄範例

JSON

{
  "exec_chain": {
    "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E"
  },
  "exec_chain_child": {
    "parent_path": "/sbin/launchd",
    "parent_pid": 1,
    "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02"
  },
  "header": {
    "time_seconds_epoch": 1657906179,
    "time_milliseconds_offset": 848,
    "version": 11,
    "event_modifier": 0,
    "event_id": 45018,
    "event_name": "AUE_add_to_group"
  },
  "host_info": {
    "serial_number": "C03WG0H4HDTS",
    "host_name": "Test_MacBook_Pro",
    "osversion": "Version 12.4 (Build 21F79)",
    "host_uuid": "8891C1E2-0AC0-4E4A-844B-EA491B14D115"
  },
  "identity": {
    "signer_id": "dummy.domain.opendirectoryd",
    "team_id_truncated": false,
    "signer_id_truncated": false,
    "cd_hash": "68d22bdec020f20010bfa9d27cd5f69d78427636",
    "team_id": "",
    "signer_type": 1
  },
  "key": "21E48D3B-4965-4072-81BF-83BE04A329C2",
  "return": {
    "error": 0,
    "description": "success",
    "return_value": 0
  },
  "subject": {
    "session_id": 100003,
    "group_id": 20,
    "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice",
    "parent_pid": 1,
    "effective_user_name": "jamf",
    "user_id": 501,
    "group_name": "staff",
    "parent_uuid": "4AB281FE-6D4A-4E79-8508-E91FCA39BA02",
    "uuid": "F6095AEA-C5CB-4AAB-8FC7-70B9D454319E",
    "effective_group_id": 20,
    "process_hash": "507494616e05a5eb909794354fe69f29e432f2a7",
    "audit_id": 501,
    "responsible_process_id": 1391,
    "parent_path": "/sbin/launchd",
    "process_id": 1701,
    "effective_group_name": "staff",
    "audit_user_name": "jamf",
    "effective_user_id": 501,
    "terminal_id": {
      "type": 4,
      "ip_address": "198.51.100.0",
      "port": 4278
    },
    "responsible_process_name": "/System/Applications/System Preferences.app/Contents/MacOS/System Preferences",
    "user_name": "jamf"
  },
  "texts": [
    "Added Groups membership username to '_lpadmin' node '/Local/Default', value = 'baddie'"
  ]
}

欄位對應參考資料

本節說明 Google Security Operations 剖析器如何將 Jamf Protect Telemetry 欄位對應至 Google Security Operations Unified Data Model (UDM) 欄位。

欄位對應參照：事件 ID 對應至事件類型

下表列出 JAMF_TELEMETRY 記錄類型和對應的 UDM 事件類型。

Event Identifier	Event Type
`AUE_add_to_group`	`GROUP_MODIFICATION`
`AUE_AUDITCTL`	`RESOURCE_READ`
`AUE_AUDITON_SPOLICY`	`RESOURCE_READ`
`AUE_AUTH_USER`	`USER_LOGIN`
`AUE_BIND`	`NETWORK_CONNECTION`
`AUE_BIOS_FIRMWARE_VERSIONS`	`USER_RESOURCE_ACCESS`
`AUE_CHDIR`	`USER_RESOURCE_ACCESS`
`AUE_CHROOT`	`USER_RESOURCE_ACCESS`
`AUE_CONNECT`	`NETWORK_CONNECTION`
`AUE_create_group`	`GROUP_CREATION`
`AUE_delete_group`	`GROUP_DELETION`
`AUE_create_user`	`USER_CREATION`
`AUE_delete_user`	`USER_DELETION`
`AUE_EXECVE`	`PROCESS_LAUNCH`
`AUE_EXIT`	`PROCESS_TERMINATION`
`AUE_FORK`	`PROCESS_LAUNCH`
`AUE_GETAUID`	`SCHEDULED_TASK_CREATION`
`AUE_KILL`	`PROCESS_TERMINATION`
`AUE_LISTEN`	`NETWORK_CONNECTION`
`AUE_LOGOUT`	`USER_LOGOUT`
`AUE_LW_LOGIN`	`USER_LOGIN`
`AUE_MAC_SET_PROC`	`PROCESS_UNCATEGORIZED`
`AUE_modify_group`	`GROUP_MODIFICATION`
`AUE_modify_password`	`USER_CHANGE_PASSWORD`
`AUE_modify_user`	`USER_UNCATEGORIZED`
`AUE_MOUNT`	`RESOURCE_READ`
`AUE_openssh`	`USER_LOGIN`
`AUE_PIDFORTASK`	`PROCESS_LAUNCH`
`AUE_POSIX_SPAWN`	`PROCESS_LAUNCH`
`AUE_REMOVE_FROM_GROUP`	`GROUP_MODIFICATION`
`AUE_SESSION_CLOSE`	`USER_LOGOUT`
`AUE_SESSION_END`	`USER_LOGOUT`
`AUE_SESSION_START`	`USER_LOGIN`
`AUE_SESSION_UPDATE`	`USER_UNCATEGORIZED`
`AUE_SETPRIORITY`	`SETTING_MODIFICATION`
`AUE_SETSOCKOPT`	`NETWORK_CONNECTION`
`AUE_SETTIMEOFDAY`	`SETTING_MODIFICATION`
`AUE_SHUTDOWN`	`STATUS_SHUTDOWN`
`AUE_SOCKETPAIR`	`NETWORK_CONNECTION`
`AUE_SSAUTHINT`	`USER_LOGIN`
`AUE_SSAUTHMECH`	`USER_LOGIN`
`AUE_SSAUTHORIZE`	`USER_LOGIN`
`AUE_TASKFORPID`	`PROCESS_INJECTION`
`AUE_TASKNAMEFORPID`	`PROCESS_INJECTION`
`AUE_UNMOUNT`	`RESOURCE_READ`
`AUE_WAIT4`	`PROCESS_UNCATEGORIZED`
`PLAINTEXT_LOG_COLLECTION_EVENT`	`GENERIC_EVENT`

`SYSTEM_PERFORMANCE_METRICS`	`GENERIC_EVENT`

欄位對應參考資料：JAMF_TELEMETRY

下表列出 JAMF_TELEMETRY 記錄類型的記錄欄位，以及對應的 UDM 欄位。

Log field	UDM mapping	Logic
	`metadata.event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `JAMF_TELEMETRY`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `JAMF`.
`header.time_seconds_epoch`	`metadata.event_timestamp`
`header.time_milliseconds_offset`	`about.labels[time_milliseconds_offset]` (deprecated)
`header.time_milliseconds_offset`	`additional.fields[time_milliseconds_offset]`
`header.version`	`about.labels[header_version]` (deprecated)
`header.version`	`additional.fields[header_version]`
`header.event_modifier`	`about.labels[event_modifier]` (deprecated)
`header.event_modifier`	`additional.fields[event_modifier]`
`header.event_uuid`	`metadata.product_log_id`
`header.event_name,header.event_id`	`metadata.product_event_type`	If the `header.event_name` and `header.event_id` log field values are not empty, then the `header.event_name-header.event_id` log fields are mapped to the `metadata.product_event_type` UDM field. Else, if the `header.event_name` log field value is not empty, then the `header.event_name` log field is mapped to the `metadata.product_event_type` UDM field. Else, if the `header.event_id` log field value is not empty, then the `header.event_id` log field is mapped to the `metadata.product_event_type` UDM field.
`exec_chain.thread_uuid`	`principal.labels[exec_chain_thread_uuid]` (deprecated)
`exec_chain.thread_uuid`	`additional.fields[exec_chain_thread_uuid]`
`exec_chain.uuid`	`principal.labels[exec_chain_uuid]` (deprecated)
`exec_chain.uuid`	`additional.fields[exec_chain_uuid]`
`exec_chain_child.parent_path`	`principal.process.parent_process.file.full_path`
`exec_chain_child.parent_pid`	`principal.process.parent_process.pid`
`exec_chain_child.parent_uuidsubject.parent` (deprecated)	`principal.labels[exec_chain_child_parent_uuid]`
`exec_chain_child.parent_uuid`	`additional.fields[exec_chain_child_parent_uuid]`
`host_info.serial_number`	`principal.asset.hardware.serial_number`
`host_info.host_name`	`principal.hostname`
`host_info.osversion`	`principal.asset.software.version`
`host_info.host_uuid`	`principal.asset.product_object_id`
`host_info.primary_mac_address`	`principal.asset.mac`
`identity.signer_id`	`principal.labels[identity_signer_id]` (deprecated)
`identity.signer_id`	`additional.fields[identity_signer_id]`
`identity.team_id_truncated`	`principal.labels[identity_team_id_truncated]` (deprecated)
`identity.team_id_truncated`	`additional.fields[identity_team_id_truncated]`
`identity.signer_id_truncated`	`principal.labels[identity_signer_id_truncated]` (deprecated)
`identity.signer_id_truncated`	`additional.fields[identity_signer_id_truncated]`
`identity.cd_hash`	`principal.labels[identity_cd_hash]` (deprecated)
`identity.cd_hash`	`additional.fields[identity_cd_hash]`
`identity.team_id`	`principal.labels[team_id]` (deprecated)
`identity.team_id`	`additional.fields[team_id]`
`identity.signer_type`	`principal.labels[signer_type]` (deprecated)
`identity.signer_type`	`additional.fields[signer_type]`
`key`	`about.labels[key]` (deprecated)
`key`	`additional.fields[key]`
`return.error,return.description`	`security_result.description`	If the `return.error` and `return.description` log field values are not empty, then the `return.error-return.description` log fields are mapped to the `security_result.description` UDM field. Else, if the `return.error` log field value is not empty, then the `return.error` log field is mapped to the `security_result.description` UDM field. Else, if the `return.description` log field value is not empty, then the `return.description` log field is mapped to the `security_result.description` UDM field.
`return.return_value`	`security_result.detection_fields`
`subject.session_id`	`network.session_id`
`subject.group_id`	`principal.user.group_identifiers`	If the `header.event_name` log field value contains one of the following values, then the `subject.group_id` log field is mapped to the `target.user.group_identifiers` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.group_id` log field is mapped to the `principal.user.group_identifiers` UDM field.
`subject.effective_group_id`	`target.user.group_identifiers`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_group_id` log field is mapped to the `target.user.group_identifiers` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.group_name`	`principal.group.group_display_name`	If the `header.event_name` log field value contains one of the following values, then the `subject.group_name` log field is mapped to the `target.group.group_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.group_name` log field is mapped to the `principal.group.group_display_name` UDM field.
`subject.effective_group_name`	`target.group.group_display_name`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_group_name` log field is mapped to the `target.group.group_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.user_name`	`principal.user.user_display_name`	If the `header.event_name` log field value contains one of the following values, then the `subject.user_name` log field is mapped to the `target.user.user_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.user_name` log field is mapped to the `principal.user.user_display_name` UDM field.
`subject.effective_user_name`	`target.user.user_display_name`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_user_name` log field is mapped to the `target.user.user_display_name` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.user_id`	`principal.user.userid`	If the `header.event_name` log field value contains one of the following values, then the `subject.user_id` log field is mapped to the `target.user.userid` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize` Else, the `subject.user_id` log field is mapped to the `principal.user.userid` UDM field.
`subject.effective_user_id`	`target.user.userid`	If the `header.event_name` log field value does not contain one of the following values, then the `subject.effective_user_id` log field is mapped to the `target.user.userid` UDM field: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`
`subject.audit_id`	`principal.labels[audit_id]` (deprecated)
`subject.audit_id`	`additional.fields[audit_id]`
`subject.responsible_process_id,metrics.tasks.pid`	`principal.process.pid`	If the `header.event_name` log field value is equal to `SYSTEM_PERFORMANCE_METRICS`, then the `metrics.tasks.pid` log field is mapped to the `principal.process.pid` UDM field. Else, the `subject.responsible_process_id` log field is mapped to the `principal.process.pid` UDM field.
`subject.process_id`	`principal.process_ancestors.pid`	If the `subject.responsible_process_id` log field value is not empty, then the `subject.process_id` log field is mapped to the `principal.process_ancestors.pid` UDM field. Else, the `subject.process_id` log field is mapped to the `principal.process.pid` UDM field.
`subject.audit_user_name`	`principal.labels[audit_user_name]` (deprecated)
`subject.audit_user_name`	`additional.fields[audit_user_name]`
`subject.process_name`	`principal.process_ancestors.file.full_path`	If the `subject.responsible_process_name` log field value is not empty, then the `subject.process_name` log field is mapped to the `principal.process_ancestors.file.full_path` UDM field. Else, the `subject.process_name` log field is mapped to the `principal.process.file.full_path` UDM field.
`subject.responsible_process_name`	`principal.process.file.full_path`
`subject.process_hash`	`principal.process.file.sha1`
`subject.terminal_id.type`	`principal.labels[type]` (deprecated)	If the `subject.terminal_id.type` log field value is equal to `4`, then the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `principal.labels.value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `principal.labels.value` UDM field is set to `6-IPv6`. Else, the `principal.labels.key` UDM field is set to `subject_terminal_id_type` and the `subject.terminal_id.type` log field is mapped to the `principal.labels.value` UDM field.
`subject.terminal_id.type`	`additional.fields[type]`	If the `subject.terminal_id.type` log field value is equal to `4`, then the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `6-IPv6`. Else, the `additional.fields.key` UDM field is set to `subject_terminal_id_type` and the `subject.terminal_id.type` log field is mapped to the `additional.fields.value.string_value` UDM field.
`subject.terminal_id.ip_address`	`principal.ip`
`subject.terminal_id.port`	`principal.port`
`texts`	`metadata.description`	If the `index` value is equal to `0`, then the `texts` log field is mapped to the `metadata.description` UDM field. Else, the `texts` log field is mapped to the `about.labels.value` UDM field.
`attributes.device`	`principal.asset.attribute.labels[device]`
`attributes.owner_group_name`	`about.group.group_display_name`
`attributes.owner_group_id`	`about.user.group_identifiers`
`attributes.owner_user_id`	`about.user.userid`
`attributes.owner_user_name`	`about.user.user_display_name`
`attributes.file_system_id`	`principal.labels[attributes_file_system_id]` (deprecated)
`attributes.file_system_id`	`additional.fields[attributes_file_system_id]`
`attributes.file_access_mode`	`principal.labels[attributes_file_access_mode]` (deprecated)
`attributes.file_access_mode`	`additional.fields[attributes_file_access_mode]`
`attributes.node_id`	`principal.asset.asset_id`
`path`	`about.labels[path]`
`arguments.cmd`	`principal.labels[arguments_cmd]` (deprecated)
`arguments.cmd`	`additional.fields[arguments_cmd]`
`arguments.policy`	`principal.labels[arguments_policy]` (deprecated)
`arguments.policy`	`additional.fields[arguments_policy]`
`arguments.length`	`principal.labels[arguments_length]` (deprecated)
`arguments.length`	`additional.fields[arguments_length]`
`_event_score`	`security_result.severity_details`
`architecture`	`principal.asset.hardware.cpu_model`
`arguments.addr`	`principal.labels[arguments_addr]` (deprecated)
`arguments.addr`	`additional.fields[arguments_addr]`
`arguments.am_failure`	`principal.labels[arguments_am_failure]` (deprecated)
`arguments.am_failure`	`additional.fields[arguments_am_failure]`
`arguments.am_success`	`principal.labels[arguments_am_success]` (deprecated)
`arguments.am_success`	`additional.fields[arguments_am_success]`
`arguments.authenticated_as_test`	`principal.labels[arguments_authenticated_as_test]` (deprecated)
`arguments.authenticated_as_test`	`additional.fields[arguments_authenticated_as_test]`
`arguments.child_PID`	`principal.labels[arguments_child_PID]` (deprecated)
`arguments.child_PID`	`additional.fields[arguments_child_PID]`
`arguments.data`	`principal.labels[arguments_data]` (deprecated)
`arguments.data`	`additional.fields[arguments_data]`
`arguments.domain`	`principal.labels[arguments_domain]` (deprecated)
`arguments.domain`	`additional.fields[arguments_domain]`
`arguments.fd`	`principal.labels[arguments_fd]` (deprecated)
`arguments.fd`	`additional.fields[arguments_fd]`
`arguments.flags`	`principal.labels[arguments_flags]` (deprecated)
`arguments.flags`	`additional.fields[arguments_flags]`
`arguments.authenticated_as_allen.golbig`	`principal.labels[authenticated_as_allen_golbig]` (deprecated)
`arguments.authenticated_as_allen.golbig`	`additional.fields[authenticated_as_allen_golbig]`
`arguments.known_UID_`	`principal.labels[argument_known_uid]` (deprecated)
`arguments.known_UID_`	`additional.fields[argument_known_uid]`
`arguments.pid`	`principal.labels[arguments_pid]` (deprecated)
`arguments.pid`	`additional.fields[arguments_pid]`
`arguments.port`	`principal.labels[arguments_port]` (deprecated)
`arguments.port`	`additional.fields[arguments_port]`
`arguments.priority`	`security_result.priority_details`
`arguments.process`	`principal.labels[argument_process]` (deprecated)
`arguments.process`	`additional.fields[argument_process]`
`arguments.protocol`	`principal.labels[argument_protocol]` (deprecated)
`arguments.protocol`	`additional.fields[argument_protocol]`
`arguments.request`	`principal.labels[argument_request]` (deprecated)
`arguments.request`	`additional.fields[argument_request]`
`arguments.sflags`	`principal.labels[arguments_sflags]` (deprecated)
`arguments.sflags`	`additional.fields[arguments_sflags]`
`arguments.signal`	`principal.labels[argument_signal]` (deprecated)
`arguments.signal`	`additional.fields[argument_signal]`
`arguments.target_port,process.terminal_id.port,socket_inet.port`	`target.port`	If the `header.event_name` log field value is equal to `AUE_KILL` or `AUE_TASKFORPID`, then the `process.port` log field is mapped to the `target.port` UDM field. Else, if the `header.event_name` log field value is equal to `AUE_BIND` or `AUE_CONNECT`, then the `socket_inet.port` log field is mapped to the `target.port` UDM field. Else, the `agument.target_port` log field is mapped to the `target.port` UDM field.
`arguments.task_port`	`principal.labels[task_port]` (deprecated)
`arguments.task_port`	`additional.fields[task_port]`
`arguments.type`	`principal.labels[argument_type]` (deprecated)
`arguments.type`	`additional.fields[argument_type]`
`arguments.which`	`principal.labels[which]` (deprecated)
`arguments.which`	`additional.fields[which]`
`arguments.who`	`principal.labels[who]` (deprecated)
`arguments.who`	`additional.fields[who]`
`bios_firmware_versions.booter-version`	`principal.asset.attribute.labels[booter_version]`
`bios_firmware_versions.firmware-features`	`principal.asset.attribute.labels[firmware_features]`
`bios_firmware_versions.firmware-version`	`principal.asset.attribute.labels[firmware_version]`
`bios_firmware_versions.release-date`	`principal.asset.attribute.labels[release_date]`
`bios_firmware_versions.rom-size`	`principal.asset.attribute.labels[rom_size]`
`bios_firmware_versions.system-firmware-version`	`principal.asset.attribute.labels[system_firmware_version]`
`bios_firmware_versions.vendor`	`principal.asset.attribute.labels[vendor]`
`bios_firmware_versions.version`	`principal.asset.attribute.labels[version]`
`exec_args.args_compiled`	`principal.process.command_line`
`exec_chain_parent.uuid`	`principal.labels[parent_uuid]` (deprecated)
`exec_chain_parent.uuid`	`additional.fields[parent_uuid]`
`exec_env.env_compiled`	`about.labels[env_compiled]` (deprecated)
`exec_env.env_compiled`	`additional.fields[env_compiled]`
`exec_env.env.PATH`	`about.labels[env_path]` (deprecated)
`exec_env.env.PATH`	`additional.fields[env_path]`
`exit.return_value`	`principal.labels[return_value]` (deprecated)
`exit.return_value`	`additional.fields[return_value]`
`exit.status`	`principal.labels[exit_status]` (deprecated)
`exit.status`	`additional.fields[exit_status]`
`process.audit_id`	`about.labels[process_audit_id]` (deprecated)
`process.audit_id`	`additional.fields[process_audit_id]`
`process.audit_user_name`	`about.labels[audit_user_name]` (deprecated)
`process.audit_user_name`	`additional.fields[audit_user_name]`
`process.group_idprocess.effective_group_id`	`about.user.group_identifiers`
`process.group_name`	`about.group.group_display_name`
`process.process_hash`	`target.process.file.sha1`
`process.process_id`	`target.process.pid`
`process.process_name`	`target.process.file.full_path`
`process.session_id`	`target.labels[process_session_id]` (deprecated)
`process.session_id`	`additional.fields[process_session_id]`
`process.terminal_id.addr`	`target.labels[addr]`
`process.terminal_id.ip_address`	`target.ip`
`process.terminal_id.type`	`target.labels[process_terminal_id_type]` (deprecated)	If the `process.terminal_id.type` log field value is equal to `4`, then the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `target.labels.value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `target.labels.value` UDM field is set to `6-IPv6`. Else, the `target.labels.key` UDM field is set to `process_terminal_id_type` and the `process.terminal_id.type` log field is mapped to the `target.labels.value` UDM field.
`process.terminal_id.type`	`additional.fields[process_terminal_id_type]`	If the `process.terminal_id.type` log field value is equal to `4`, then the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `4-IPv4`. Else, if the `subject.terminal_id.type` log field value is equal to `6`, then the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `additional.fields.value.string_value` UDM field is set to `6-IPv6`. Else, the `additional.fields.key` UDM field is set to `process_terminal_id_type` and the `process.terminal_id.type` log field is mapped to the `additional.fields.value.string_value` UDM field.
`process.user_id`	`about.user.userid`
`process.user_name`	`about.user.user_display_name`
`rateLimitingSeconds`	`about.labels[rate_limiting_seconds]` (deprecated)
`rateLimitingSeconds`	`additional.fields[rate_limiting_seconds]`
`socket_inet.family`	`target.labels[socket_inet_family]` (deprecated)
`socket_inet.family`	`additional.fields[socket_inet_family]`
`socket_inet.id`	`target.labels[socket_inet_id]` (deprecated)	If the `socket_inet.id` log field value is equal to `128`, then the `target.labels.key` UDM field is set to `socket_inet_id` and the `target.labels.value` UDM field is set to `128-IPv4`. Else, if the `socket_inet.id` log field value is equal to `129`, then the `target.labels.key` UDM field is set to `socket_inet_id` and the `target.labels.value` UDM field is set to `129-IPv6`. Else, the `target.labels.key` UDM field is set to `socket_inet_id` and the `socket_inet.ip` log field is mapped to the `target.labels.value` UDM field.
`socket_inet.id`	`additional.fields[socket_inet_id]`	If the `socket_inet.id` log field value is equal to `128`, then the `additional.fields.key` UDM field is set to `socket_inet_id` and the `additional.fields.value.string_value` UDM field is set to `128-IPv4`. Else, if the `socket_inet.id` log field value is equal to `129`, then the `additional.fields.key` UDM field is set to `socket_inet_id` and the `additional.fields.value.string_value` UDM field is set to `129-IPv6`. Else, the `additional.fields.key` UDM field is set to `socket_inet_id` and the `socket_inet.ip` log field is mapped to the `additional.fields.value.string_value` UDM field.
`socket_inet.ip_address`	`target.ip`
`socket_unix.family`	`target.labels[socket_unix_family]` (deprecated)
`socket_unix.family`	`additional.fields[socket_unix_family]`
`socket_unix.path`	`target.file.full_path`
`subject.terminal_id.addr`	`target.labels[addr]`
`metrics.hw_model`	`principal.asset.hardware.model`
`metrics.tasks.bytes_received`	`network.received_bytes`	If the `index` value is equal to `0`, then the `metrics.tasks.bytes_received` log field is mapped to the `network.received_bytes` UDM field. Else, the `metrics.tasks.bytes_received` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.bytes_received_per_s`	`principal.asset.attribute.labels[bytes_received_per_s]`
`metrics.tasks.bytes_sent`	`network.sent_bytes`	If the `index` value is equal to `0`, then the `metrics.tasks.bytes_sent` log field is mapped to the `network.sent_bytes` UDM field. Else, the `metrics.tasks.bytes_sent` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.bytes_sent_per_s`	`principal.asset.attribute.labels[bytes_sent_per_s]`
`metrics.tasks.cputime_ms_per_s`	`principal.asset.attribute.labels[cputime_ms_per_s]`
`metrics.tasks.cputime_ns`	`principal.asset.attribute.labels[cputime_ns]`
`metrics.tasks.cputime_sample_ms_per_s`	`principal.asset.attribute.labels[cputime_sample_ms_per_s]`
`metrics.tasks.cputime_userland_ratio`	`principal.asset.attribute.labels[cputime_userland_ratio]`
`metrics.tasks.diskio_bytesread`	`principal.asset.attribute.labels[diskio_bytesread]`
`metrics.tasks.diskio_bytesread_per_s`	`principal.asset.attribute.labels[diskio_bytesread_per_s]`
`metrics.tasks.diskio_byteswritten`	`principal.asset.attribute.labels[diskio_byteswritten]`
`metrics.tasks.diskio_byteswritten_per_s`	`principal.asset.attribute.labels[diskio_byteswritten_per_s]`
`metrics.tasks.energy_impact`	`principal.asset.attribute.labels[energy_impact]`
`metrics.tasks.energy_impact_per_s`	`principal.asset.attribute.labels[energy_impact_per_s]`
`metrics.tasks.idle_wakeups`	`principal.asset.attribute.labels[idle_wakeups]`
`metrics.tasks.interval_ns`	`principal.asset.attribute.labels[interval_ns]`
`metrics.tasks.intr_wakeups_per_s`	`principal.asset.attribute.labels[intr_wakeups_per_s]`
`metrics.tasks.name`	`principal.asset.attribute.labels[name]`
`metrics.tasks.packets_received`	`network.received_packets`	If the `index` value is equal to `0`, then the `metrics.tasks.packets_received` log field is mapped to the `network.received_packets` UDM field. Else, the `metrics.tasks.packets_received` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.packets_received_per_s`	`principal.asset.attribute.labels[packets_received_per_s]`
`metrics.tasks.packets_sent`	`network.sent_packets`	If the `index` value is equal to `0`, then the `metrics.tasks.packets_sent` log field is mapped to the `network.sent_packets` UDM field. Else, the `metrics.tasks.packets_sent` log field is mapped to the `principal.asset.attribute.labels.value` UDM field.
`metrics.tasks.packets_sent_per_s`	`principal.asset.attribute.labels[packets_sent_per_s]`
`metrics.tasks.pageins`	`principal.asset.attribute.labels[pageins]`
`metrics.tasks.pageins_per_s`	`principal.asset.attribute.labels[pageins_per_s]`
`metrics.tasks.qos_background_ms_per_s`	`principal.asset.attribute.labels[qos_background_ms_per_s]`
`metrics.tasks.qos_background_ns`	`principal.asset.attribute.labels[qos_background_ns]`
`metrics.tasks.qos_default_ms_per_s`	`principal.asset.attribute.labels[qos_default_ms_per_s]`
`metrics.tasks.qos_default_ns`	`principal.asset.attribute.labels[qos_default_ns]`
`metrics.tasks.qos_disabled_ms_per_s`	`principal.asset.attribute.labels[qos_disabled_ms_per_s]`
`metrics.tasks.qos_disabled_ns`	`principal.asset.attribute.labels[qos_disabled_ns]`
`metrics.tasks.qos_maintenance_ms_per_s`	`principal.asset.attribute.labels[qos_maintenance_ms_per_s]`
`metrics.tasks.qos_maintenance_ns`	`principal.asset.attribute.labels[qos_maintenance_ns]`
`metrics.tasks.qos_user_initiated_ms_per_s`	`principal.asset.attribute.labels[qos_user_initiated_ms_per_s]`
`metrics.tasks.qos_user_initiated_ns`	`principal.asset.attribute.labels[qos_user_initiated_ns]`
`metrics.tasks.qos_user_interactive_ms_per_s`	`principal.asset.attribute.labels[qos_user_interactive_ms_per_s]`
`metrics.tasks.qos_user_interactive_ns`	`principal.asset.attribute.labels[qos_user_interactive_ns]`
`metrics.tasks.qos_utility_ms_per_s`	`principal.asset.attribute.labels[qos_utility_ms_per_s]`
`metrics.tasks.qos_utility_ns`	`principal.asset.attribute.labels[qos_utility_ns]`
`metrics.tasks.started_abstime_ns`	`principal.asset.attribute.labels[started_abstime_ns]`
`metrics.tasks.timer_wakeups.wakeups`	`principal.asset.attribute.labels[timer_wakeups]`
`page_info.page`	`about.labels[page_info_page]` (deprecated)
`page_info.page`	`additional.fields[page_info_page]`
`page_info.total`	`about.labels[page_info_total]` (deprecated)
`page_info.total`	`additional.fields[page_info_total]`
`exec_env.env._`	`about.labels[env]` (deprecated)
`exec_env.env._`	`additional.fields[env]`
`exec_env.env.__CF_USER_TEXT_ENCODING`	`about.labels[env__CF_USER_TEXT_ENCODING]` (deprecated)
`exec_env.env.__CF_USER_TEXT_ENCODING`	`additional.fields[env__CF_USER_TEXT_ENCODING]`
`exec_env.env.__CFBundleIdentifier`	`about.labels[env__CFBundleIdentifier]` (deprecated)
`exec_env.env.__CFBundleIdentifier`	`additional.fields[env__CFBundleIdentifier]`
`exec_env.env.ASDF_DIR`	`about.labels[env_ASDF_DIR]` (deprecated)
`exec_env.env.ASDF_DIR`	`additional.fields[env_ASDF_DIR]`
`exec_env.env.HOME`	`about.labels[env_HOME]` (deprecated)
`exec_env.env.HOME`	`additional.fields[env_HOME]`
`exec_env.env.LANG`	`about.labels[env_LANG]` (deprecated)
`exec_env.env.LANG`	`additional.fields[env_LANG]`
`exec_env.env.LC_TERMINAL`	`about.labels[env_LC_TERMINAL]` (deprecated)
`exec_env.env.LC_TERMINAL`	`additional.fields[env_LC_TERMINAL]`
`exec_env.env.LC_TERMINAL_VERSION`	`about.labels[env_LC_TERMINAL_VERSION]` (deprecated)
`exec_env.env.LC_TERMINAL_VERSION`	`additional.fields[env_LC_TERMINAL_VERSION]`
`exec_env.env.MAIL`	`about.labels[env_MAIL]` (deprecated)
`exec_env.env.MAIL`	`additional.fields[env_MAIL]`
`exec_env.env.MallocSpaceEfficient`	`about.labels[env_MallocSpaceEfficient]` (deprecated)
`exec_env.env.MallocSpaceEfficient`	`additional.fields[env_MallocSpaceEfficient]`
`exec_env.env.OLDPWD`	`about.labels[env_OLDPWD]` (deprecated)
`exec_env.env.OLDPWD`	`additional.fields[env_OLDPWD]`
`exec_env.env.PWD`	`about.file.full_path`
`exec_env.env.SHELL`	`about.labels[env_SHELL]` (deprecated)
`exec_env.env.SHELL`	`additional.fields[env_SHELL]`
`exec_env.env.SHLVL`	`about.labels[env_SHLVL]` (deprecated)
`exec_env.env.SHLVL`	`additional.fields[env_SHLVL]`
`exec_env.env.SSH_AUTH_SOCK`	`about.labels[env_SSH_AUTH_SOCK]` (deprecated)
`exec_env.env.SSH_AUTH_SOCK`	`additional.fields[env_SSH_AUTH_SOCK]`
`exec_env.env.SSH_CLIENT`	`about.labels[env_SSH_CLIENT]` (deprecated)
`exec_env.env.SSH_CLIENT`	`additional.fields[env_SSH_CLIENT]`
`exec_env.env.SSH_CONNECTION`	`about.labels[env_SSH_CONNECTION]` (deprecated)
`exec_env.env.SSH_CONNECTION`	`additional.fields[env_SSH_CONNECTION]`
`exec_env.env.SSH_TTY`	`about.labels[env_SSH_TTY]` (deprecated)
`exec_env.env.SSH_TTY`	`additional.fields[env_SSH_TTY]`
`exec_env.env.SUDO_COMMAND`	`about.labels[env_SUDO_COMMAND]` (deprecated)
`exec_env.env.SUDO_COMMAND`	`additional.fields[env_SUDO_COMMAND]`
`exec_env.env.SUDO_GID`	`about.user.group_identifiers`
`exec_env.env.SUDO_UID`	`about.user.userid`
`exec_env.env.SUDO_USER`	`about.user.user_display_name`
`exec_env.env.TERM`	`about.labels[env_TERM]` (deprecated)
`exec_env.env.TERM`	`additional.fields[env_TERM]`
`exec_env.env.LOGNAME`	`about.labels[env_LOGNAME]` (deprecated)
`exec_env.env.LOGNAME`	`additional.fields[env_LOGNAME]`
`exec_env.env.USER`	`about.labels[env_USER]` (deprecated)
`exec_env.env.USER`	`additional.fields[env_USER]`
`exec_env.env.TERM_PROGRAM`	`about.labels[env_TERM_PROGRAM]` (deprecated)
`exec_env.env.TERM_PROGRAM`	`additional.fields[env_TERM_PROGRAM]`
`exec_env.env.TERM_PROGRAM_VERSION`	`about.labels[env_TERM_PROGRAM_VERSION]` (deprecated)
`exec_env.env.TERM_PROGRAM_VERSION`	`additional.fields[env_TERM_PROGRAM_VERSION]`
`exec_env.env.TERM_SESSION_ID`	`about.labels[env_TERM_SESSION_ID]` (deprecated)
`exec_env.env.TERM_SESSION_ID`	`additional.fields[env_TERM_SESSION_ID]`
`exec_env.env.TMPDIR`	`about.labels[env_TMPDIR]` (deprecated)
`exec_env.env.TMPDIR`	`additional.fields[env_TMPDIR]`
`exec_env.env.XPC_FLAGS`	`about.labels[env_XPC_FLAGS]` (deprecated)
`exec_env.env.XPC_FLAGS`	`additional.fields[env_XPC_FLAGS]`
`exec_env.env.XPC_SERVICE_NAME`	`about.labels[env_XPC_SERVICE_NAME]` (deprecated)
`exec_env.env.XPC_SERVICE_NAME`	`additional.fields[env_XPC_SERVICE_NAME]`
	`target.resource.resource_type`	If the `header.event_name` log field value is equal to `AUE_GETAUID`, then the `target.resource.resource_type` UDM field is set to `TASK`. Else, if the `header.event_name` log field value is equal to `AUE_SETPRIORITY or AUE_SETTIMEOFDAY`, then the `target.resource.resource_type` UDM field is set to `SETTING`.
	`extensions.auth.mechanism`	If the `header.event_name` log field value contains one of the following values, then the `mechanism` UDM field is set to `USERNAME_PASSWORD`: `AUE_auth_user` `AUE_logout` `AUE_lw_login` `AUE_openssh` `AUE_SESSION_CLOSE` `AUE_SESSION_END` `AUE_SESSION_START` `AUE_ssauthint` `AUE_ssauthmech` `AUE_ssauthorize`

後續步驟

將資料擷取至 Google Security Operations

還有其他問題嗎？向社群成員和 Google SecOps 專業人員尋求答案。