Collect OCSF logs
Supported in:
This document describes the supported event types for OCSF logs and how log fields map to Google SecOps Unified Data Model (UDM) fields.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the OCSF ingestion label.
Supported OCSF log formats
The OCSF parser supports logs in JSON format.
Supported OCSF Sample Logs
JSON:
{ "activity_id": 1, "activity_name": "Logon", "certificate": { "created_time": 1602175307000, "expiration_time": 1602175307000, "issuer": "dummy", "serial_number": "1234567", "subject": "user", "version": "1" }, "auth_protocol": "NTLM", "auth_protocol_id": 1, "category_name": "Audit Activity", "category_uid": 3, "class_name": "Authentication", "class_uid": 3002, "device": { "hostname": "dummy_hostname", "hw_info": { "bios_manufacturer": "bios_manufacturer", "cpu_cores": 42, "cpu_speed": 4200, "cpu_type": "x86 Family 6 Model 37 Stepping 5", "ram_size": 2048, "serial_number": "serial123" }, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" }, "os": { "name": "Windows", "type": "Windows", "type_id": 100 }, "type": "Unknown", "type_id": 2 }, "dst_endpoint": { "hostname": "dummy_hostname", "domain": "dummy@domain.com", "uid": "123456789", "ip": "198.51.100.4", "intermediate_ips": [ "198.51.100.5", "198.51.100.6" ], "mac": "47-1E-10-E7-2B-D0", "port": 420, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" } }, "actor": { "process": { "created_time": 1538087851000, "parent_process": { "cmd_line": "actor_parent_process_cmd_line" }, "file": { "name": "-", "path": "-", "type": "Regular File", "type_id": 1, "accessed_time": 1538087851000, "created_time": 1538087851000, "modified_time": 1538087851000, "mime_type": "actor_file_type", "size": 45 }, "pid": 0, "cmd_line": "actor_process_cmd_line", "uid": "456" }, "session": { "uid": "0x0" }, "user": { "account_type": "Windows Account", "account_type_id": 2, "domain": "-", "name": "-", "uid": "NULL SID" } }, "logon_type": "Network", "logon_type_id": 3, "message": "An account failed to log on.", "metadata": { "original_time": "10/08/2020 12:41:47 PM", "product": { "feature": { "name": "Security" }, "name": "Microsoft Windows", "vendor_name": "Microsoft" }, "profiles": [ "host" ], "uid": "a738d6e6-4ebd-49bb-805e-45d0604a1bef", "version": "1.0.0-rc.2" }, "severity": "Informational", "severity_id": 1, "src_endpoint": { "hostname": "dummy_hostname", "domain": "dummy@domain.com", "ip": "198.51.100.4", "intermediate_ips": [ "198.51.100.5", "198.51.100.6" ], "mac": "00:1b:63:84:45:e6", "port": 420, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" } }, "status": "0xC000006D", "status_detail": "Unknown user name or bad password.", "status_id": 2, "time": 1602175307000, "type_name": "Authentication: Logon", "type_uid": 300201, "unmapped": { "Detailed Authentication Information": { "Key Length": "0", "Package Name (NTLM only)": "-", "Transited Services": "-" }, "EventCode": "4625", "EventType": "0", "Failure Information": { "Sub Status": "0xC000006A" }, "OpCode": "Info", "RecordNumber": "223742", "SourceName": "Microsoft Windows security auditing.", "TaskCategory": "Logon" }, "user": { "account_type": "Windows Account", "account_type_id": 2, "domain": "dummy.domain.com", "name": "Administrator", "uid": "NULL SID" } }
Field mapping reference
Field mapping reference: Event Identifier to Event Type
The following table lists theOCSF Supported Events log types and their corresponding UDM event types.
| Event Identifier |
|---|
Authentication |
Authorize Session |
Security Finding |
FTP Activity |
Detection Finding |
Process Activity |
Http Activity |
Network Activity |
Network File Activity |
File Hosting Activity |
API Activity |
DNS Activity |
Field mapping reference: OCSF Authentication
The following table lists the log fields for the Authentication log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the activity_id log field value is equal to 1 then, the metadata.event_type UDM field is set to USER_LOGIN. Else, if activity_id log field value is equal to 2 then, the metadata.event_type UDM field is set to USER_LOGOUT. Else, the metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
api.response.code |
network.http.response_code |
|
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, api.service.name log field is mapped to the target.application UDM field. Else, if api.service.name log field value is not empty then, api.service.name log field is mapped to the target.application UDM field. |
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
certificate.created_time |
network.tls.client.certificate.not_before |
|
certificate.expiration_time |
network.tls.client.certificate.not_after |
|
certificate.issuer |
network.tls.client.certificate.issuer |
|
certificate.serial_number |
network.tls.client.certificate.serial |
|
certificate.subject |
network.tls.client.certificate.subject |
|
certificate.version |
network.tls.client.certificate.version |
|
class_name |
metadata.log_type |
|
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
device.uid |
principal.asset.product_object_id |
|
dst_endpoint.domain |
target.domain.name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
|
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
dst_endpoint.svc_name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if api.service.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.uid |
target.asset_id |
|
http_request.http_method |
network.http.method |
|
http_request.referrer |
network.http.referral_url |
|
http_request.user_agent |
network.http.user_agent |
|
logon_process.cmd_line |
principal.process.command_line |
If the logon_process.cmd_line log field value is empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the logon_process.cmd_line log field value is empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
logon_process.file.accessed_time |
principal.process.file.last_seen_time |
If the logon_process.file.accessed_time log field value is empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the logon_process.file.accessed_time log field value is empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
logon_process.file.created_time |
principal.process.file.first_seen_time |
If the logon_process.file.created_time log field value is empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the logon_process.file.created_time log field value is empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
logon_process.file.mime_type |
principal.process.file.mime_type |
If the logon_process.file.mime_type log field value is empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the logon_process.file.mime_type log field value is empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
logon_process.file.modified_time |
principal.process.file.last_modification_time |
If the logon_process.file.modified_time log field value is empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the logon_process.file.modified_time log field value is empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
logon_process.file.name |
principal.process.file.names |
If the logon_process.file.name log field value is empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.name |
principal.process.file.names |
If the logon_process.file.name log field value is empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. |
logon_process.file.path |
principal.process.file.full_path |
If the logon_process.file.path log field value is empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the logon_process.file.path log field value is empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
logon_process.file.size |
principal.process.file.size |
If the logon_process.file.size log field value is empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.file.size |
principal.process.file.size |
If the logon_process.file.size log field value is empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. |
logon_process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the logon_process.parent_process.cmd_line log field value is empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the logon_process.parent_process.cmd_line log field value is empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
logon_process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the logon_process.parent_process.file.accessed_time log field value is empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the logon_process.parent_process.file.accessed_time log field value is empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
logon_process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the logon_process.parent_process.file.created_time log field value is empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the logon_process.parent_process.file.created_time log field value is empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
logon_process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the logon_process.parent_process.file.mime_type log field value is empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the logon_process.parent_process.file.mime_type log field value is empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
logon_process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the logon_process.parent_process.file.modified_time log field value is empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the logon_process.parent_process.file.modified_time log field value is empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
logon_process.parent_process.file.name |
principal.process.parent_process.file.names |
If the logon_process.parent_process.file.name log field value is empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the logon_process.parent_process.file.name log field value is empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
logon_process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the logon_process.parent_process.file.path log field value is empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the logon_process.parent_process.file.path log field value is empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
logon_process.parent_process.file.size |
principal.process.parent_process.file.size |
If the logon_process.parent_process.file.size log field value is empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the logon_process.parent_process.file.size log field value is empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
logon_process.parent_process.pid |
principal.process.parent_process.pid |
If the logon_process.parent_process.pid log field value is empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the logon_process.parent_process.pid log field value is empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
logon_process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the logon_process.parent_process.uid log field value is empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the logon_process.parent_process.uid log field value is empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
logon_process.pid |
principal.process.pid |
If the logon_process.pid log field value is empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.pid |
principal.process.pid |
If the logon_process.pid log field value is empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. |
logon_process.uid |
principal.process.product_specific_process_id |
If the logon_process.uid log field value is empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the logon_process.uid log field value is empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
logon_type_id |
extensions.auth.mechanism |
If the logon_type log field value is equal to 0 then, the extensions.auth.mechanism UDM field is set to LOCAL. Else, if logon_type log field value is equal to 2 then, the extensions.auth.mechanism UDM field is set to INTERACTIVE. Else, if logon_type log field value is equal to 3 then, the extensions.auth.mechanism UDM field is set to NETWORK. Else, if logon_type log field value is equal to 4 then, the extensions.auth.mechanism UDM field is set to BATCH. Else, if logon_type log field value is equal to 5 then, the extensions.auth.mechanism UDM field is set to SERVICE. Else, if logon_type log field value is equal to 7 then, the extensions.auth.mechanism UDM field is set to UNLOCK. Else, if logon_type log field value is equal to 8 then, the extensions.auth.mechanism UDM field is set to NETWORK_CLEAR_TEXT. Else, if logon_type log field value is equal to 9 then, the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS. Else, if logon_type log field value is equal to 10 then, the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE. Else, if logon_type log field value is equal to 11 then, the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE. Else, if logon_type log field value is equal to 12 then, the extensions.auth.mechanism UDM field is set to CACHED_REMOTE_INTERACTIVE. Else, if logon_type log field value is equal to 13 then, the extensions.auth.mechanism UDM field is set to CACHED_UNLOCK. Else, the extensions.auth.mechanism UDM field is set to MECHANISM_UNSPECIFIED. |
message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
service.name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, service.name log field is mapped to the target.application UDM field. Else, if api.service.name log field value is not empty then, api.service.name log field is mapped to the target.application UDM field. |
session.uid |
network.session_id |
If the session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. |
actor.session.uid |
network.session_id |
If the session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. |
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
|
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
time |
metadata.event_timestamp |
|
user.domain |
target.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.domain log field is mapped to the target.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.domain log field is mapped to the target.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.domain log field is mapped to the target.administrative_domain UDM field. |
actor.user.domain |
target.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.domain log field is mapped to the target.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.domain log field is mapped to the target.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.domain log field is mapped to the target.administrative_domain UDM field. |
logon_process.user.domain |
target.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.domain log field is mapped to the target.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.domain log field is mapped to the target.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.domain log field is mapped to the target.administrative_domain UDM field. |
user.domain |
principal.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.domain |
principal.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
logon_process.user.domain |
principal.administrative_domain |
If the user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if logon_process.user.domain log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
user.email_addr |
target.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.email_addr log field is mapped to the target.user.email_addresses UDM field. |
actor.user.email_addr |
target.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.email_addr log field is mapped to the target.user.email_addresses UDM field. |
logon_process.user.email_addr |
target.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.email_addr log field is mapped to the target.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.email_addr log field is mapped to the target.user.email_addresses UDM field. |
user.email_addr |
principal.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
logon_process.user.email_addr |
principal.user.email_addresses |
If the user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.email_addr log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
user.full_name |
target.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.full_name log field is mapped to the target.user.user_display_name UDM field. |
actor.user.full_name |
target.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.full_name log field is mapped to the target.user.user_display_name UDM field. |
logon_process.user.full_name |
target.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.full_name log field is mapped to the target.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.full_name log field is mapped to the target.user.user_display_name UDM field. |
user.full_name |
principal.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
logon_process.user.full_name |
principal.user.user_display_name |
If the user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if logon_process.user.full_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.name |
principal.group.group_display_name |
|
logon_process.user.groups.name |
principal.group.group_display_name |
|
user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
logon_process.user.groups.privileges |
principal.group.attribute.permissions.name |
|
user.groups.uid |
principal.user.group_identifiers |
|
actor.user.groups.uid |
principal.user.group_identifiers |
|
logon_process.user.groups.uid |
principal.user.group_identifiers |
|
user.name |
target.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.name log field is mapped to the target.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.name log field is mapped to the target.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.name log field is mapped to the target.user.userid UDM field. |
actor.user.name |
target.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.name log field is mapped to the target.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.name log field is mapped to the target.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.name log field is mapped to the target.user.userid UDM field. |
logon_process.user.name |
target.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.name log field is mapped to the target.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.name log field is mapped to the target.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.name log field is mapped to the target.user.userid UDM field. |
user.name |
principal.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.name |
principal.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.name log field is mapped to the principal.user.userid UDM field. |
logon_process.user.name |
principal.user.userid |
If the user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if logon_process.user.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.name log field is mapped to the principal.user.userid UDM field. |
user.org.name |
target.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.name log field is mapped to the target.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.name log field is mapped to the target.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.name log field is mapped to the target.user.company_name UDM field. |
actor.user.org.name |
target.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.name log field is mapped to the target.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.name log field is mapped to the target.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.name log field is mapped to the target.user.company_name UDM field. |
logon_process.user.org.name |
target.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.name log field is mapped to the target.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.name log field is mapped to the target.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.name log field is mapped to the target.user.company_name UDM field. |
user.org.name |
principal.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.name |
principal.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
logon_process.user.org.name |
principal.user.company_name |
If the user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if logon_process.user.org.name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
user.org.ou_name |
target.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.ou_name log field is mapped to the target.user.department UDM field. |
actor.user.org.ou_name |
target.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.ou_name log field is mapped to the target.user.department UDM field. |
logon_process.user.org.ou_name |
target.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.org.ou_name log field is mapped to the target.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.org.ou_name log field is mapped to the target.user.department UDM field. |
user.org.ou_name |
principal.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
logon_process.user.org.ou_name |
principal.user.department |
If the user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if logon_process.user.org.ou_name log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
user.type_id |
target.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. |
actor.user.type_id |
target.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. |
logon_process.user.type_id |
target.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. |
user.type_id |
principal.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
logon_process.user.type_id |
principal.user.attribute.roles.name |
If the user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if actor.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if logon_process.user.type_id log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 and if the logon_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if logon_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if logon_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if logon_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
user.uid |
target.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.uid log field is mapped to the target.user.windows_sid UDM field. |
actor.user.uid |
target.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.uid log field is mapped to the target.user.windows_sid UDM field. |
logon_process.user.uid |
target.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.uid log field is mapped to the target.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.uid log field is mapped to the target.user.windows_sid UDM field. |
user.uid |
principal.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.uid log field is mapped to the principal.user.windows_sid UDM field. |
actor.user.uid |
principal.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.uid log field is mapped to the principal.user.windows_sid UDM field. |
logon_process.user.uid |
principal.user.product_object_id |
If the user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if actor.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, actor.user.uid log field is mapped to the principal.user.windows_sid UDM field. Else, if logon_process.user.uid log field value is not empty and if the activity_id log field value is not equal to 1 or the activity_id log field value is not equal to 2 then, logon_process.user.uid log field is mapped to the principal.user.windows_sid UDM field. |
actor.user.account_uid |
target.user.attribute.labels[actor_user_account_id] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.account_uid log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_uid |
principal.user.attribute.labels[actor_user_account_id] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.account_uid log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.type |
target.user.attribute.labels[actor_user_type] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.type log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.type |
principal.user.attribute.labels[actor_user_type] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.type log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.uuid |
target.user.attribute.labels[actor_user_uuid] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.uuid log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.uuid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.uuid |
principal.user.attribute.labels[actor_user_uuid] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.uuid log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.uuid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_type |
target.user.attribute.labels[actor_user_account_type] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.account_type log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_type |
principal.user.attribute.labels[actor_user_account_type] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.account_type log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_type_id |
target.user.attribute.labels[actor_user_account_type_id] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.account_type_id log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_type_id log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account_type_id |
principal.user.attribute.labels[actor_user_account_type_id] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.account_type_id log field is mapped to the target.user.attribute.labels UDM field. Else, actor.user.account_type_id log field is mapped to the principal.user.attribute.labels UDM field. |
actor.process.file.parent_folder |
principal.labels[actor_process_file_parent_folder] |
|
actor.process.file.type |
principal.labels[actor_process_file_type] |
|
actor.process.file.type_id |
principal.labels[actor_process_file_type_id] |
|
api.operation |
about.labels[api_operation] |
|
metadata.product.feature.name |
about.labels[metadata_product_feature_name] |
|
metadata.profiles |
about.labels[metadata_profiles] |
|
metadata.version |
about.labels[metadata_version] |
|
mfa |
about.labels[mfa] |
|
status |
security_result.detection_fields[status] |
|
status_id |
security_result.detection_fields [status_id] |
|
type_name |
about.labels[type_name] |
|
type_uid |
about.labels[type_uid] |
|
actor.process.file.parent_folder |
additional.fields[actor_process_file_parent_folder] |
|
actor.process.file.type |
additional.fields[actor_process_file_type] |
|
actor.process.file.type_id |
additional.fields[actor_process_file_type_id] |
|
api.operation |
additional.fields[api_operation] |
|
metadata.product.feature.name |
additional.fields[metadata_product_feature_name] |
|
metadata.profiles |
additional.fields[metadata_profiles] |
|
metadata.version |
additional.fields[metadata_version] |
|
mfa |
additional.fields[mfa] |
|
type_name |
additional.fields[type_name] |
|
type_uid |
additional.fields[type_uid] |
|
auth_protocol |
additional.fields[auth_protocol] |
|
auth_protocol_id |
additional.fields[auth_protocol_id] |
|
logon_process.name |
additional.fields[logon_process_name] |
|
logon_type |
additional.fields[logon_type] |
|
session.uuid |
additional.fields[session_uuid] |
|
status_detail |
additional.fields[status_detail] |
|
metadata.original_time |
additional.fields[metadata_original_time] |
|
auth_protocol |
about.labels[auth_protocol] |
|
auth_protocol_id |
about.labels[auth_protocol_id] |
|
logon_process.name |
principal.labels[logon_process_name] |
|
logon_type |
principal.labels[logon_type] |
|
session.uuid |
about.labels[session_uuid] |
|
status_detail |
about.labels[status_detail] |
|
metadata.original_time |
about.labels[metadata_original_time] |
|
user.uuid |
target.user.attribute.labels[actor_user_uuid] |
|
user.uuid |
principal.user.attribute.labels[actor_user_uuid] |
|
device.os.name |
principal.asset.attribute.labels[device_os_name] |
|
device.os.type |
principal.asset.attribute.labels[device_os_type] |
|
device.type |
principal.asset.attribute.labels[device_type] |
|
user.account_type |
target.user.attribute.labels[user_account_type] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.account_type log field is mapped to the target.user.attribute.labels UDM field. Else, user.account_type log field is mapped to the principal.user.attribute.labels UDM field. |
user.account_type |
principal.user.attribute.labels[user_account_type] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.account_type log field is mapped to the target.user.attribute.labels UDM field. Else, user.account_type log field is mapped to the principal.user.attribute.labels UDM field. |
user.account_type_id |
target.user.attribute.labels[user_account_type_id] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.account_type_id log field is mapped to the target.user.attribute.labels UDM field. Else, user.account_type_id log field is mapped to the principal.user.attribute.labels UDM field. |
user.account_type_id |
principal.user.attribute.labels[user_account_type_id] |
If the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.account_type_id log field is mapped to the target.user.attribute.labels UDM field. Else, user.account_type_id log field is mapped to the principal.user.attribute.labels UDM field. |
actor.session.uid_alt |
additional.fields[actor_session_uid_alt] |
|
actor.session.count |
additional.fields[actor_session_count] |
|
actor.session.expiration_reason |
additional.fields[actor_session_expiration_reason] |
|
actor.session.is_mfa |
additional.fields[actor_session_is_mfa] |
|
actor.session.terminal |
additional.fields[actor_session_terminal] |
|
actor.session.is_vpn |
additional.fields[actor_session_is_vpn] |
|
certificate.uid |
additional.fields[certificate_uid] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
http_request.length |
additional.fields[http_request_length] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_loggers_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_loggers_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_loggers_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_loggers_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_loggers_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_loggers_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_loggers_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_loggers_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_loggers_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_loggers_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_loggers_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_loggers_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_loggers_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_loggers_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
session.uid_alt |
additional.fields[session_uid_alt] |
|
session.count |
additional.fields[session_count] |
|
session.expiration_reason |
additional.fields[session_expiration_reason] |
|
session.is_mfa |
additional.fields[session_is_mfa] |
|
session.terminal |
additional.fields[session_terminal] |
|
session.is_vpn |
additional.fields[session_is_vpn] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
user.ldap_person.email_addrs |
principal.user.email_addresses |
If the user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, logon_process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, logon_process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
logon_process.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if logon_process.user.ldap_person.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. Else, logon_process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
user.ldap_person.employee_uid |
principal.user.employee_id |
If the user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else,. |
actor.user.ldap_person.employee_uid |
principal.user.employee_id |
If the user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else,. |
logon_process.user.ldap_person.employee_uid |
principal.user.employee_id |
If the user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else,. |
user.ldap_person.given_name |
principal.user.first_name |
If the user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if logon_process.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, logon_process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if logon_process.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, logon_process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
logon_process.user.ldap_person.given_name |
principal.user.first_name |
If the user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if logon_process.user.ldap_person.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. Else, logon_process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
user.ldap_person.hire_time |
principal.user.hire_date |
If the user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if logon_process.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, logon_process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if logon_process.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, logon_process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
logon_process.user.ldap_person.hire_time |
principal.user.hire_date |
If the user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if logon_process.user.ldap_person.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. Else, logon_process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
user.ldap_person.job_title |
principal.user.title |
If the user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if logon_process.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, logon_process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if logon_process.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, logon_process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
logon_process.user.ldap_person.job_title |
principal.user.title |
If the user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if logon_process.user.ldap_person.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.job_title log field is mapped to the target.user.title UDM field. Else, logon_process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
user.ldap_person.last_login_time |
principal.user.last_login_time |
If the user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if logon_process.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, logon_process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if logon_process.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, logon_process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
logon_process.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if logon_process.user.ldap_person.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. Else, logon_process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
user.ldap_person.office_location |
principal.user.office_address.name |
If the user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if logon_process.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, logon_process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if logon_process.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, logon_process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
logon_process.user.ldap_person.office_location |
principal.user.office_address.name |
If the user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if logon_process.user.ldap_person.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. Else, logon_process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
user.ldap_person.surname |
principal.user.last_name |
If the user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if logon_process.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, logon_process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if logon_process.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, logon_process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
logon_process.user.ldap_person.surname |
principal.user.last_name |
If the user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if logon_process.user.ldap_person.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. Else, logon_process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
logon_process.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
logon_process.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
logon_process.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
actor.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
logon_process.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.location log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
logon_process.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
logon_process.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
logon_process.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.labels log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
logon_process.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
logon_process.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if actor.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if logon_process.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if actor.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if logon_process.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
logon_process.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if actor.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. Else, if logon_process.user.ldap_person.manager.email_addrs log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. Else, logon_process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else,. |
actor.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else,. |
logon_process.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if actor.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else, Else, if logon_process.user.ldap_person.manager.employee_uid log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, Else,. |
user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if actor.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if logon_process.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, logon_process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if actor.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if logon_process.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, logon_process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
logon_process.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if actor.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. Else, if logon_process.user.ldap_person.manager.given_name log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. Else, logon_process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if actor.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if logon_process.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, logon_process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if actor.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if logon_process.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, logon_process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
logon_process.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if actor.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. Else, if logon_process.user.ldap_person.manager.hire_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. Else, logon_process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
user.ldap_person.manager.job_title |
principal.user.managers.title |
If the user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if actor.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if logon_process.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, logon_process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if actor.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if logon_process.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, logon_process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
logon_process.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if actor.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. Else, if logon_process.user.ldap_person.manager.job_title log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. Else, logon_process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
user.ldap_person.manager.last_login_time |
principal.user.managers.last_login_time |
If the user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if actor.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, actor.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if logon_process.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.user.ldap_person.manager.last_login_time |
principal.user.managers.last_login_time |
If the user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if actor.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, actor.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if logon_process.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
logon_process.user.ldap_person.manager.last_login_time |
principal.user.managers.last_login_time |
If the user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if actor.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, actor.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. Else, if logon_process.user.ldap_person.manager.last_login_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. Else, logon_process.user.ldap_person.manager.last_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
user.ldap_person.manager.office_location |
principal.user.managers.office_address.name |
If the user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if actor.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, actor.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if logon_process.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, logon_process.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.user.ldap_person.manager.office_location |
principal.user.managers.office_address.name |
If the user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if actor.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, actor.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if logon_process.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, logon_process.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
logon_process.user.ldap_person.manager.office_location |
principal.user.managers.office_address.name |
If the user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if actor.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, actor.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. Else, if logon_process.user.ldap_person.manager.office_location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. Else, logon_process.user.ldap_person.manager.office_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if actor.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if logon_process.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, logon_process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if actor.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if logon_process.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, logon_process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
logon_process.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if actor.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. Else, if logon_process.user.ldap_person.manager.surname log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. Else, logon_process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] |
If the user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] |
If the user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
logon_process.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] |
If the user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if actor.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, if logon_process.user.ldap_person.manager.leave_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. Else, logon_process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time] UDM field. |
user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] |
If the user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] |
If the user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
logon_process.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] |
If the user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if actor.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, if logon_process.user.ldap_person.manager.modified_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. Else, logon_process.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time] UDM field. |
user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] |
If the user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] |
If the user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
logon_process.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] |
If the user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if actor.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_cn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn] UDM field. |
user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] |
If the user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] |
If the user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
logon_process.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] |
If the user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if actor.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, if logon_process.user.ldap_person.manager.ldap_dn log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. Else, logon_process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn] UDM field. |
user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_manager_ldap_person_labels] |
If the user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
actor.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_manager_ldap_person_labels] |
If the user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
logon_process.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_manager_ldap_person_labels] |
If the user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if actor.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, if logon_process.user.ldap_person.manager.labels log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. Else, logon_process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_labels] UDM field. |
user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] |
If the user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] |
If the user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
logon_process.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] |
If the user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if actor.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, if logon_process.user.ldap_person.manager.cost_center log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. Else, logon_process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center] UDM field. |
user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] |
If the user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] |
If the user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
logon_process.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] |
If the user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if actor.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, if logon_process.user.ldap_person.manager.created_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. Else, logon_process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time] UDM field. |
user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] |
If the user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] |
If the user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
logon_process.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] |
If the user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if actor.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, if logon_process.user.ldap_person.manager.deleted_time log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. Else, logon_process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time] UDM field. |
user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_manager_ldap_person_location] |
If the user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
actor.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_manager_ldap_person_location] |
If the user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
logon_process.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_manager_ldap_person_location] |
If the user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if actor.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, actor.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, if logon_process.user.ldap_person.manager.location log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then, logon_process.user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. Else, logon_process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[logon_process_user_ldap_person_location] UDM field. |
user.groups.domain |
principal.user.group_identifiers |
If the user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if logon_process.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.groups.domain |
principal.user.group_identifiers |
If the user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if logon_process.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
logon_process.user.groups.domain |
principal.user.group_identifiers |
If the user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if logon_process.user.ldap_person.groups.domain log field value is not empty and if the activity_id log field value is equal to 1 or the activity_id log field value is equal to 2 then,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. Else,iterate through log field user.groups, then logon_process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
Field mapping reference: OCSF Authorize Session
The following table lists the log fields for theAuthorize Session log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
message |
metadata.description |
|
time |
metadata.event_timestamp |
|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Authorize Session and if the activity_id log field value is equal to 1 then, the metadata.event_type UDM field is set to USER_CHANGE_PERMISSIONS. Else, if the activity_id log field value is equal to 2 then, the metadata.event_type UDM field is set to GROUP_MODIFICATION. Else, the metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
class_name |
metadata.log_type |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
metadata.uid |
metadata.product_log_id |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.logged_time |
metadata.collected_timestamp |
|
api.response.code |
network.http.response_code |
|
session.uid |
network.session_id |
If the session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. |
actor.session.uid |
network.session_id |
If the session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. |
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.domain |
principal.administrative_domain |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.hostname |
principal.asset.hostname |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.region |
principal.asset.location.name |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.domain |
principal.asset.network_domain |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.uid |
principal.asset.product_object_id |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
|
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.name |
principal.user.company_name |
|
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.user.org.ou_name |
principal.user.department |
|
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
|
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.full_name |
principal.user.user_display_name |
|
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.user.name |
principal.user.userid |
|
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.uid |
principal.user.product_object_id |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
user.domain |
target.administrative_domain |
|
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.svc_name |
target.application |
|
dst_endpoint.uid |
target.asset_id |
|
dst_endpoint.domain |
target.domain.name |
|
group.privileges |
target.group.attribute.permissions.name |
If the user.groups.privileges log field value is empty then, group.privileges log field is mapped to the target.group.attribute.permissions.name UDM field. |
user.groups.privileges |
target.group.attribute.permissions.name |
|
group.name |
target.group.group_display_name |
If the user.groups.name log field value is empty then, group.name log field is mapped to the target.group.group_display_name UDM field. |
user.groups.name |
target.group.group_display_name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.location.coordinates |
target.location.region_coordinates.longitude/latitude |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
privileges |
target.user.attribute.permissions.name |
|
user.type_id |
target.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the target.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the target.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the target.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the target.user.attribute.roles.name UDM field is set to System. Else, the target.user.attribute.roles.name UDM field is set to Other. |
user.org.name |
target.user.company_name |
|
user.org.ou_name |
target.user.department |
|
user.email_addr |
target.user.email_addresses |
|
group.uid |
target.user.group_identifiers |
If the user.groups.uid log field value is empty then, group.uid log field is mapped to the target.user.group_identifiers UDM field. |
user.groups.uid |
target.user.group_identifiers |
|
user.full_name |
target.user.user_display_name |
|
user.name |
target.user.userid |
|
user.uid |
target.user.product_object_id |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
group.domain |
principal.user.group_identifiers |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
session.uid_alt |
additional.fields[session_uid_alt] |
|
session.count |
additional.fields[session_count] |
|
session.expiration_reason |
additional.fields[session_expiration_reason] |
|
session.is_mfa |
additional.fields[session_is_mfa] |
|
session.terminal |
additional.fields[session_terminal] |
|
session.is_vpn |
additional.fields[session_is_vpn] |
|
user.ldap_person.cost_center |
target.user.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.cost_center log field value is not empty then, user.ldap_person.cost_center log field is mapped to the target.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
user.ldap_person.created_time |
target.user.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.created_time log field value is not empty then, user.ldap_person.created_time log field is mapped to the target.user.attribute.labels[user_ldap_person_created_time] UDM field. |
user.ldap_person.deleted_time |
target.user.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.deleted_time log field value is not empty then, user.ldap_person.deleted_time log field is mapped to the target.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
user.ldap_person.email_addrs |
target.user.email_addresses |
If the user.ldap_person.email_addrs log field value is not empty then, user.ldap_person.email_addrs log field is mapped to the target.user.email_addresses UDM field. |
user.ldap_person.employee_uid |
target.user.employee_uid |
If the user.ldap_person.employee_uid log field value is not empty then,. |
user.ldap_person.location |
target.user.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.location log field value is not empty then, user.ldap_person.location log field is mapped to the target.user.attribute.labels[user_ldap_person_location] UDM field. |
user.ldap_person.given_name |
target.user.first_name |
If the user.ldap_person.given_name log field value is not empty then, user.ldap_person.given_name log field is mapped to the target.user.first_name UDM field. |
user.ldap_person.hire_time |
target.user.hire_date |
If the user.ldap_person.hire_time log field value is not empty then, user.ldap_person.hire_time log field is mapped to the target.user.hire_date UDM field. |
user.ldap_person.job_title |
target.user.title |
If the user.ldap_person.job_title log field value is not empty then, user.ldap_person.job_title log field is mapped to the target.user.title UDM field. |
user.ldap_person.ldap_cn |
target.user.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.ldap_cn log field value is not empty then, user.ldap_person.ldap_cn log field is mapped to the target.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
user.ldap_person.ldap_dn |
target.user.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.ldap_dn log field value is not empty then, user.ldap_person.ldap_dn log field is mapped to the target.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
user.ldap_person.labels |
target.user.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.labels log field value is not empty then, user.ldap_person.labels log field is mapped to the target.user.attribute.labels[user_ldap_person_labels] UDM field. |
user.ldap_person.last_login_time |
target.user.last_login_time |
If the user.ldap_person.last_login_time log field value is not empty then, user.ldap_person.last_login_time log field is mapped to the target.user.last_login_time UDM field. |
user.ldap_person.leave_time |
target.user.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.leave_time log field value is not empty then, user.ldap_person.leave_time log field is mapped to the target.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
user.ldap_person.modified_time |
target.user.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.modified_time log field value is not empty then, user.ldap_person.modified_time log field is mapped to the target.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
user.ldap_person.office_location |
target.user.office_address.name |
If the user.ldap_person.office_location log field value is not empty then, user.ldap_person.office_location log field is mapped to the target.user.office_address.name UDM field. |
user.ldap_person.surname |
target.user.last_name |
If the user.ldap_person.surname log field value is not empty then, user.ldap_person.surname log field is mapped to the target.user.last_name UDM field. |
user.ldap_person.manager.cost_center |
target.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.cost_center log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_cost_center] UDM field. |
user.ldap_person.manager.created_time |
target.user.managers.attribute.labels[user_ldap_person_created_time] |
If the user.ldap_person.manager.created_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.created_time log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_created_time] UDM field. |
user.ldap_person.manager.deleted_time |
target.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.deleted_time log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_deleted_time] UDM field. |
user.ldap_person.manager.email_addrs |
target.user.managers.email_addresses |
If the user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.email_addrs log field is mapped to the target.user.managers.email_addresses UDM field. |
user.ldap_person.manager.employee_uid |
target.user.managers.employee_uid |
If the user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.employee_uid log field is mapped to the target.user.managers.employee_uid UDM field. |
user.ldap_person.manager.location |
target.user.managers.attribute.labels[user_ldap_person_location] |
If the user.ldap_person.manager.location log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.location log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_location] UDM field. |
user.ldap_person.manager.given_name |
target.user.managers.first_name |
If the user.ldap_person.manager.given_name log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.given_name log field is mapped to the target.user.managers.first_name UDM field. |
user.ldap_person.manager.hire_time |
target.user.managers.hire_date |
If the user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.hire_time log field is mapped to the target.user.managers.hire_date UDM field. |
user.ldap_person.manager.job_title |
target.user.managers.title |
If the user.ldap_person.manager.job_title log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.job_title log field is mapped to the target.user.managers.title UDM field. |
user.ldap_person.manager.ldap_cn |
target.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.ldap_cn log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_ldap_cn] UDM field. |
user.ldap_person.manager.ldap_dn |
target.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.ldap_dn log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_ldap_dn] UDM field. |
user.ldap_person.manager.labels |
target.user.managers.attribute.labels[user_ldap_person_labels] |
If the user.ldap_person.manager.labels log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.labels log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_labels] UDM field. |
user.ldap_person.manager.last_login_timelast_login_time |
target.user.managers.last_login_time |
If the user.ldap_person.manager.last_login_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.last_login_time log field is mapped to the target.user.managers.last_login_time UDM field. |
user.ldap_person.manager.leave_time |
target.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.leave_time log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_leave_time] UDM field. |
user.ldap_person.manager.modified_time |
target.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.modified_time log field is mapped to the target.user.managers.attribute.labels[user_ldap_person_manager_modified_time] UDM field. |
user.ldap_person.manager.office_locationoffice_location |
target.user.managers.office_address.name |
If the user.ldap_person.manager.office_location log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.office_location log field is mapped to the target.user.managers.office_address.name UDM field. |
user.ldap_person.manager.surname |
target.user.managers.last_name |
If the user.ldap_person.manager.surname log field value is not empty then,iterate through log field user.ldap_person.manager, then user.ldap_person.manager.surname log field is mapped to the target.user.managers.last_name UDM field. |
user.groups.domain |
target.user.group_identifiers |
If the actor.process.user.groups log field value is not empty then,iterate through log field user.groups, then user.groups.domain log field is mapped to the target.user.group_identifiers UDM field. |
Field mapping reference: OCSF Security Finding
The following table lists the log fields for theSecurity Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Security Finding then, the metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
activity_name |
network.http.response_code |
|
api.response.message |
metadata.description |
|
api.service.name |
target.application |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
classname |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
confidence |
security_result.confidence |
If the confidence log field value matches the regular expression pattern Low then, the security_result.confidence UDM field is set to LOW_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern Medium then, the security_result.confidence UDM field is set to MEDIUM_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern High then, the security_result.confidence UDM field is set to HIGH_CONFIDENCE. Else, the security_result.confidence UDM field is set to UNKNOWN_CONFIDENCE. |
confidence_score |
security_result.confidence_details |
|
finding.desc |
security_result.description |
|
finding.product_uid |
principal.asset_id |
|
finding.remediation.desc |
security_result.outcomes [finding_remediation_desc] |
|
finding.remediation.kb_articles |
security_result.outcomes [finding_remediation_kb_articles] |
|
finding.src_url |
security_result.url_back_to_product |
|
finding.title |
security_result.summary |
|
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.hostname |
Iterate through log field observables.type_id, thenif the observables.type_id log field value is equal to 1 and if the observer.hostname log field value is empty then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 and if the observer.user.userid log field value is empty then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 and if the observer.url log field value is empty then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 and if the observer.file.vhash log field value is empty then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 and if the observer.resource.product_object_id log field value is empty then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
|
observables.value |
observer.mac |
|
observables.value |
observer.user.userid |
|
observables.value |
observer.user.email_addresses |
|
observables.value |
observer.url |
|
observables.value |
observer.file.names |
|
observables.value |
observer.file.vhash |
|
observables.value |
observer.process.file.names |
|
observables.value |
observer.resource.product_object_id |
|
process.cmd_line |
principal.process.command_line |
|
process.file.mime_type |
principal.process.file.mime_type |
|
process.file.modified_time |
principal.process.file.last_modification_time |
|
process.file.name |
principal.process.file.names |
|
process.file.path |
principal.process.file.full_path |
|
process.file.size |
principal.process.file.size |
|
process.file.created_time |
principal.process.file.first_seen_time |
|
process.file.accessed_time |
principal.process.file.last_seen_time |
|
process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
process.parent_process.file.name |
principal.process.parent_process.file.names |
|
process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
process.parent_process.file.size |
principal.process.parent_process.file.size |
|
process.parent_process.pid |
principal.process.parent_process.pid |
|
process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
process.parent_process.user.domain |
principal.administrative_domain |
If the process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
process.parent_process.user.email_addr |
principal.user.email_addresses |
If the process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
process.parent_process.user.full_name |
principal.user.user_display_name |
If the process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
process.parent_process.user.groups.name |
principal.group.group_display_name |
If the process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
process.parent_process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
process.parent_process.user.groups.uid |
principal.user.group_identifiers |
If the process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
process.parent_process.user.name |
principal.user.userid |
If the process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
process.parent_process.user.org.name |
principal.user.company_name |
If the process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
process.parent_process.user.org.ou_name |
principal.user.department |
If the process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
process.parent_process.user.type_id |
principal.user.attribute.roles.name |
If the process.user.type_id log field value is not empty and if the process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if process.parent_process.user.type_id log field value is not empty and if the process.parent_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.parent_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.parent_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.parent_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
process.parent_process.user.uid |
principal.user.product_object_id |
If the process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
process.pid |
principal.process.pid |
|
process.uid |
principal.process.product_specific_process_id |
|
process.user.domain |
principal.administrative_domain |
If the process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
process.user.email_addr |
principal.user.email_addresses |
If the process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
process.user.full_name |
principal.user.user_display_name |
If the process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
process.user.groups.name |
principal.group.group_display_name |
If the process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
process.user.groups.uid |
principal.user.group_identifiers |
If the process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
process.user.name |
principal.user.userid |
If the process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
process.user.org.name |
principal.user.company_name |
If the process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
process.user.org.ou_name |
principal.user.department |
If the process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
process.user.type_id |
principal.user.attribute.roles.name |
If the process.user.type_id log field value is not empty and if the process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. Else, if process.parent_process.user.type_id log field value is not empty and if the process.parent_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.parent_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.parent_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.parent_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
process.user.uid |
principal.user.product_object_id |
If the process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
resources.name |
target.resource.name |
|
resources.type |
target.resource.resource_subtype |
|
resources.uid |
target.resource.product_object_id |
|
risk_score |
security_result.risk_score |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
time |
metadata.event_timestamp |
|
vulnerabilities.cve.created_time |
extensions.vulns.vulnerabilities.first_found |
|
vulnerabilities.cve.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
vulnerabilities.cve.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
vulnerabilities.cve.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
vulnerabilities.cve.product.name |
extensions.vulns.vulnerabilities.about.application |
|
vulnerabilities.cve.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
vulnerabilities.cve.type |
extensions.vulns.vulnerabilities.description |
|
vulnerabilities.cve.uid |
extensions.vulns.vulnerabilities.cve_id |
|
vulnerabilities.severity |
extensions.vulns.vulnerabilities.severity |
|
vulnerabilities.title |
extensions.vulns.vulnerabilities.name |
|
vulnerabilities.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
analytic.desc |
security_result.detection_fields [analytic_desc] |
|
analytic.name |
security_result.detection_fields [analytic_name] |
|
analytic.relatedAnalytics.category |
security_result.detection_fields [analytic_related_analytics_category] |
|
analytic.relatedAnalytics.name |
security_result.detection_fields [analytic_related_analytics_name] |
|
analytic.relatedAnalytics.type |
security_result.detection_fields [analytic_related_analytics_type] |
|
analytic.relatedAnalytics.typeId |
security_result.detection_fields [analytic_related_analytics_typeId] |
|
analytic.relatedAnalytics.uid |
security_result.detection_fields [analytic_related_analytics_uid] |
|
analytic.type |
security_result.detection_fields [analytic_type] |
|
analytic.typeId |
security_result.detection_fields [analytic_typeId] |
|
finding.uid |
security_result.detection_fields [finding_uid] |
|
finding.first_seen_time |
security_result.first_discovered_time |
|
finding.created_time |
security_result.detection_fields [finding_created_time] |
|
finding.last_seen_time |
security_result.detection_fields [finding_last_seen_time] |
|
confidence_id |
security_result.detection_fields [confidence_id] |
|
data_sources |
security_result.detection_fields [data_sources] |
|
impact |
security_result.detection_fields [impact] |
|
impact_id |
security_result.detection_fields [impact_id] |
|
impact_score |
security_result.detection_fields [impact_score] |
|
malware.classification_ids |
security_result.detection_fields [malware.classification_ids] |
|
malware.classifications |
security_result.detection_fields [malware.classifications] |
|
risk_level |
security_result.detection_fields [risk_level] |
|
risk_level_id |
security_result.detection_fields [risk_level_id] |
|
state |
security_result.detection_fields [state] |
|
state_id |
security_result.detection_fields [state_id] |
|
count |
security_result.detection_fields [count] |
|
end_time |
security_result.detection_fields [end_time] |
|
enrichments.name |
security_result.detection_fields [enrichments_name] |
|
enrichments.provider |
security_result.detection_fields [enrichments_provider] |
|
enrichments.type |
security_result.detection_fields [enrichments_type] |
|
enrichments.value |
security_result.detection_fields [enrichments_value] |
|
metadata.log_name |
about.labels [metadata_log_name] |
|
metadata.log_provider |
about.labels [metadata_log_provider] |
|
metadata.modified_time |
about.labels [metadata_modified_time] |
|
metadata.original_time |
about.labels [metadata_original_time] |
|
metadata.product.lang |
about.labels [metadata_product_lang] |
|
metadata.version |
about.labels [metadata_version] |
|
metadata.log_name |
additional.fields [metadata_log_name] |
|
metadata.log_provider |
additional.fields [metadata_log_provider] |
|
metadata.modified_time |
additional.fields [metadata_modified_time] |
|
metadata.original_time |
additional.fields [metadata_original_time] |
|
metadata.product.lang |
additional.fields [metadata_product_lang] |
|
metadata.version |
additional.fields [metadata_version] |
|
severity |
security_result.severity_details |
|
class_uid |
about.labels [class_uid] |
|
metadata.labels |
about.labels [metadata_labels] |
|
raw_data |
about.labels [raw_data] |
|
metadata.product.feature.name |
about.labels [metadata_product_feature_name] |
|
metadata.product.feature.uid |
about.labels [metadata_product_feature_uid] |
|
metadata.profiles |
about.labels [metadata_profiles] |
|
process.created_time |
principal.labels [process_created_time] |
|
process.file.type_id |
principal.labels [process_file_type_id] |
|
process.terminated_time |
principal.labels [process_terminated_time] |
|
status |
security_result.detection_fields [status] |
|
status_code |
security_result.detection_fields [status_code] |
|
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
cloud.account_uid |
about.resource.attribute.labels [cloud_account_uid] |
|
compliance.requirements |
security_result.detection_fields [compliance_requirements] |
|
compliance.status |
security_result.detection_fields [compliance_status] |
|
compliance.status_detail |
security_result.detection_fields [compliance_status_detail] |
|
finding.modified_time |
security_result.detection_fields [finding_modified_time] |
|
finding.related_events.product_uid |
security_result.detection_fields [finding_related_events_product_uid] |
|
finding.related_events.uid |
security_result.detection_fields [finding_related_events_uid] |
|
finding.types |
security_result.detection_fields [finding_types] |
|
malware.path |
security_result.detection_fields [malware_path] |
|
resources.cloud_partition |
target.resource.attribute.labels [resources_cloud_partition] |
|
resources.details |
target.resource.attribute.labels [resources_details] |
|
resources.labels |
target.resource.attribute.labels [resources_labels] |
|
resources.region |
target.location.name |
|
vulnerabilities.cve.modified_time |
extensions.vulns.vulnerabilities.about.labels [vuln_cve_modified_time] |
|
vulnerabilities.kb_articles |
extensions.vulns.vulnerabilities.about.labels [vuln_kb_articles] |
|
vulnerabilities.packages.architecture |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_name] |
|
vulnerabilities.packages.release |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_release] |
|
vulnerabilities.packages.version |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_version] |
|
vulnerabilities.references |
extensions.vulns.vulnerabilities.about.labels [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
extensions.vulns.vulnerabilities.about.labels [vuln_related_vulnerabilities] |
|
vulnerabilities.cve.modified_time |
additional.fields [vuln_cve_modified_time] |
|
vulnerabilities.kb_articles |
additional.fields [vuln_kb_articles] |
|
vulnerabilities.packages.architecture |
additional.fields [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
additional.fields [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
additional.fields [vuln_packages_name] |
|
vulnerabilities.packages.release |
additional.fields [vuln_packages_release] |
|
vulnerabilities.packages.version |
additional.fields [vuln_packages_version] |
|
vulnerabilities.references |
additional.fields [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
additional.fields [vuln_related_vulnerabilities] |
|
compliance.control |
security_result.detection_fields[compliance_control] |
|
compliance.standards |
security_result.detection_fields[compliance_standards] |
Iterate through log field compliance.standards, then compliance.standards log field is mapped to the security_result.detection_fields[compliance_standards] UDM field. |
compliance.status_code |
security_result.detection_fields[compliance_status_code] |
|
compliance.status_id |
security_result.detection_fields[compliance_status_id] |
|
finding.related_events.kill_chain.phase |
security_result.detection_fields[related_events_kill_chain_phase] |
Iterate through log field finding.related_events, theniterate through log field findind.related_events.kill_chain, then finding.related_events.kill_chain.phase log field is mapped to the security_result.detection_fields[related_events_kill_chain_phase] UDM field. |
finding.related_events.kill_chain.phase_id |
security_result.detection_fields[related_events_kill_chain_phase_id] |
Iterate through log field finding.related_events, theniterate through log field findind.related_events.kill_chain, then finding.related_events.kill_chain.phase_id log field is mapped to the security_result.detection_fields[related_events_kill_chain_phase_id] UDM field. |
finding.remediation.kb_article_list.os.name |
security_result.outcomes[finding_remediation_kb_article_list_os_name] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.os.name log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_os_name] UDM field. |
finding.remediation.kb_article_list.os.type_id |
security_result.outcomes[finding_remediation_kb_article_list_os_type_id] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.os.type_id log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_os_type_id] UDM field. |
finding.remediation.kb_article_list.severity |
security_result.outcomes[finding_remediation_kb_article_list_severity] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.severity log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_severity] UDM field. |
finding.remediation.kb_article_list.title |
security_result.outcomes[finding_remediation_kb_article_list_title] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.title log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_title] UDM field. |
finding.remediation.kb_article_list.uid |
security_result.outcomes[finding_remediation_kb_article_list_uid] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.uid log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_uid] UDM field. |
finding.remediation.kb_article_list.product.name |
security_result.outcomes[finding_remediation_kb_article_list_product_name] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.product.name log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_product_name] UDM field. |
finding.remediation.kb_article_list.product.uid |
security_result.outcomes[finding_remediation_kb_article_list_product_uid] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.product.uid log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_product_uid] UDM field. |
finding.remediation.kb_article_list.product.vendor_name |
security_result.outcomes[finding_remediation_kb_article_list_product_vendor_name] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.product.vendor_name log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_product_vendor_name] UDM field. |
finding.remediation.kb_article_list.product.version |
security_result.outcomes[finding_remediation_kb_article_list_product_version] |
Iterate through log field finding.remediation.kb_article_list, then finding.remediation.kb_article_list.product.version log field is mapped to the security_result.outcomes[finding_remediation_kb_article_list_product_version] UDM field. |
finding.remediation.reference |
security_result.outcomes[finding_remediation_reference] |
Iterate through log field finding.remediation.reference, then finding.remediation.reference log field is mapped to the security_result.outcomes[finding_remediation_reference] UDM field. |
finding.related_events.attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
Iterate through log field finding.related_events, theniterate through log field finding.related_events.attack, then finding.related_events.attacks.sub_technique.name log field is mapped to the security_result.attack_details.techniques.subtechnique_name UDM field. |
finding.related_events.attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
Iterate through log field finding.related_events, theniterate through log field finding.related_events.attack, then finding.related_events.attacks.sub_technique.uid log field is mapped to the security_result.attack_details.techniques.subtechnique_id UDM field. |
finding.related_events.attacks.sub_technique.src_url |
security_result.outcomes[finding_related_events_attacks_sub_technique_src_url] |
Iterate through log field finding.related_events.attacks, then finding.related_events.attacks.sub_technique.src_url log field is mapped to the security_result.outcomes[finding_related_events_attacks_sub_technique_src_url] UDM field. |
attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
Iterate through log field finding.related_events.attacks, then attacks.sub_technique.name log field is mapped to the security_result.attack_details.techniques.subtechnique_name UDM field. |
attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
Iterate through log field finding.related_events.attacks, then attacks.sub_technique.uid log field is mapped to the security_result.attack_details.techniques.subtechnique_id UDM field. |
attacks.sub_technique.src_url |
security_result.detection_fields[attacks_sub_technique_src_url] |
Iterate through log field finding.related_events.attacks, then attacks.sub_technique.src_url log field is mapped to the security_result.outcomes[finding_related_events_attacks_sub_technique_src_url] UDM field. |
malware.cvec.title |
extensions.vulns.vulnerabilities.description |
|
malware.cves.product.cpe_name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_product_cpe_name] |
Iterate through log field malware.cves, then malware.cves.product.cpe_name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_product_cpe_name] UDM field. |
malware.cves.epass.created_time |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_created_time] |
Iterate through log field malware.cves, then malware.cves.epass.created_time log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_created_time] UDM field. |
malware.cves.epass.score |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_score] |
Iterate through log field malware.cves, then malware.cves.epass.score log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_score] UDM field. |
malware.cves.epass.percentile |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_percentile] |
Iterate through log field malware.cves, then malware.cves.epass.percentile log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_percentile] UDM field. |
malware.cves.epass.version |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_version] |
Iterate through log field malware.cves, then malware.cves.epass.version log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_version] UDM field. |
malware.cves.reference |
additional.fields[malware_cves_reference] |
Iterate through log field malware.cves.reference, then malware.cves.reference log field is mapped to the additional.fields[malware_cves_reference] UDM field. |
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
actor.session.uid |
network.session_id |
If the actor.sesion.uid log field value is not empty then, actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid log field value is not empty then, process.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid_alt log field value is not empty then, process.session.uid_alt log field is mapped to the network.session_id UDM field. |
process.session.uid |
network.session_id |
If the actor.sesion.uid log field value is not empty then, actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid log field value is not empty then, process.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid_alt log field value is not empty then, process.session.uid_alt log field is mapped to the network.session_id UDM field. |
process.session.uid_alt |
network.session_id |
If the actor.sesion.uid log field value is not empty then, actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid log field value is not empty then, process.session.uid log field is mapped to the network.session_id UDM field. Else, if process.sesion.uid_alt log field value is not empty then, process.session.uid_alt log field is mapped to the network.session_id UDM field. |
process.session.expiration_reason |
additonal.fields[process_session_expiration_reason] |
|
process.user.ldap_person.cost_center |
principal.user.attribute.labels[process_user_ldap_person_cost_center] |
|
process.user.ldap_person.created_time |
principal.user.attribute.labels[process_user_ldap_person_created_time] |
|
process.user.ldap_person.deleted_time |
principal.user.attribute.labels[process_user_ldap_person_deleted_time] |
|
process.user.ldap_person.email_addrs |
principal.user.email_addresses |
|
process.user.ldap_person.employee_uid |
principal.user.employee_uid |
|
process.user.ldap_person.location |
principal.user.attribute.labels[process_user_ldap_person_location] |
|
process.user.ldap_person.given_name |
principal.user.first_name |
|
process.user.ldap_person.hire_time |
principal.user.hire_date |
|
process.user.ldap_person.job_title |
principal.user.title |
|
process.user.ldap_person.ldap_cn |
principal.user.attribute.labels[process_user_ldap_person_ldap_cn] |
|
process.user.ldap_person.ldap_dn |
principal.user.attribute.labels[process_user_ldap_person_ldap_dn] |
|
process.user.ldap_person.labels |
principal.user.attribute.labels[process_user_ldap_person_labels] |
|
process.user.ldap_person.last_login_time |
principal.user.last_login_time |
|
process.user.ldap_person.leave_time |
principal.user.attribute.labels[process_user_ldap_person_leave_time] |
|
process.user.ldap_person.modified_time |
principal.user.attribute.labels[process_user_ldap_person_modified_time] |
|
process.user.ldap_person.office_location |
principal.user.office_address.name |
|
process.user.ldap_person.surname |
principal.user.last_name |
|
process.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[process_user_ldap_person_cost_center] |
|
process.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[process_user_ldap_person_created_time] |
|
process.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[process_user_ldap_person_deleted_time] |
|
process.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
|
process.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
|
process.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[process_user_ldap_person_location] |
|
process.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
|
process.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
|
process.user.ldap_person.manager.job_title |
principal.user.managers.title |
|
process.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[process_user_ldap_person_ldap_cn] |
|
process.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[process_user_ldap_person_ldap_dn] |
|
process.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[process_user_ldap_person_labels] |
|
process.user.ldap_person.manager.last_login_time |
principal.user.managers.last_login_time |
|
process.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[process_user_ldap_person_leave_time] |
|
process.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[process_user_ldap_person_modified_time] |
|
process.user.ldap_person.manager.office_location |
principal.user.managers.office_address.name |
|
process.user.ldap_person.manager.surname |
principal.user.managers.last_name |
|
process.user.groups.domain |
principal.user.group_identifiers |
|
resources.owner.ldap_person.cost_center |
about.user.attribute.labels[process_user_ldap_person_cost_center] |
Iterate through log field resources, then resources.owner.ldap_person.cost_center log field is mapped to the about.user.attribute.labels[process_user_ldap_person_cost_center] UDM field. |
resources.owner.ldap_person.created_time |
about.user.attribute.labels[process_user_ldap_person_created_time] |
Iterate through log field resources, then resources.owner.ldap_person.created_time log field is mapped to the about.user.attribute.labels[process_user_ldap_person_created_time] UDM field. |
resources.owner.ldap_person.deleted_time |
about.user.attribute.labels[process_user_ldap_person_deleted_time] |
Iterate through log field resources, then resources.owner.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels[process_user_ldap_person_deleted_time] UDM field. |
resources.owner.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field resources, then resources.owner.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
resources.owner.ldap_person.employee_uid |
about.user.employee_uid |
Iterate through log field resources, then resources.owner.ldap_person.employee_uid log field is mapped to the about.user.employee_uid UDM field. |
resources.owner.ldap_person.location |
about.user.attribute.labels[process_user_ldap_person_location] |
Iterate through log field resources, then resources.owner.ldap_person.location log field is mapped to the about.user.attribute.labels[process_user_ldap_person_location] UDM field. |
resources.owner.ldap_person.given_name |
about.user.first_name |
Iterate through log field resources, then resources.owner.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
resources.owner.ldap_person.hire_time |
about.user.hire_date |
Iterate through log field resources, then resources.owner.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
resources.owner.ldap_person.job_title |
about.user.title |
Iterate through log field resources, then resources.owner.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
resources.owner.ldap_person.ldap_cn |
about.user.attribute.labels[process_user_ldap_person_ldap_cn] |
Iterate through log field resources, then resources.owner.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels[process_user_ldap_person_ldap_cn] UDM field. |
resources.owner.ldap_person.ldap_dn |
about.user.attribute.labels[process_user_ldap_person_ldap_dn] |
Iterate through log field resources, then resources.owner.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels[process_user_ldap_person_ldap_dn] UDM field. |
resources.owner.ldap_person.labels |
about.user.attribute.labels[process_user_ldap_person_labels] |
Iterate through log field resources, then resources.owner.ldap_person.labels log field is mapped to the about.user.attribute.labels[process_user_ldap_person_labels] UDM field. |
resources.owner.ldap_person.last_login_time |
about.user.last_login_time |
Iterate through log field resources, then resources.owner.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
resources.owner.ldap_person.leave_time |
about.user.attribute.labels[process_user_ldap_person_leave_time] |
Iterate through log field resources, then resources.owner.ldap_person.leave_time log field is mapped to the about.user.attribute.labels[process_user_ldap_person_leave_time] UDM field. |
resources.owner.ldap_person.modified_time |
about.user.attribute.labels[process_user_ldap_person_modified_time] |
Iterate through log field resources, then resources.owner.ldap_person.modified_time log field is mapped to the about.user.attribute.labels[process_user_ldap_person_modified_time] UDM field. |
resources.owner.ldap_person.office_location |
about.user.office_address.name |
Iterate through log field resources, then resources.owner.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
resources.owner.ldap_person.surname |
about.user.last_name |
Iterate through log field resources, then resources.owner.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
resources.owner.ldap_person.manager.cost_center |
about.user.managers.attribute.labels[process_user_ldap_person_cost_center] |
Iterate through log field resources, then resources.owner.ldap_person.manager.cost_center log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_cost_center] UDM field. |
resources.owner.ldap_person.manager.created_time |
about.user.managers.attribute.labels[process_user_ldap_person_created_time] |
Iterate through log field resources, then resources.owner.ldap_person.manager.created_time log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_created_time] UDM field. |
resources.owner.ldap_person.manager.deleted_time |
about.user.managers.attribute.labels[process_user_ldap_person_deleted_time] |
Iterate through log field resources, then resources.owner.ldap_person.manager.deleted_time log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_deleted_time] UDM field. |
resources.owner.ldap_person.manager.email_addrs |
about.user.managers.email_addresses |
Iterate through log field resources, then resources.owner.ldap_person.manager.email_addrs log field is mapped to the about.user.managers.email_addresses UDM field. |
resources.owner.ldap_person.manager.employee_uid |
about.user.managers.employee_uid |
Iterate through log field resources, then resources.owner.ldap_person.manager.employee_uid log field is mapped to the about.user.managers.employee_uid UDM field. |
resources.owner.ldap_person.manager.location |
about.user.managers.attribute.labels[process_user_ldap_person_location] |
Iterate through log field resources, then resources.owner.ldap_person.manager.location log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_location] UDM field. |
resources.owner.ldap_person.manager.given_name |
about.user.managers.first_name |
Iterate through log field resources, then resources.owner.ldap_person.manager.given_name log field is mapped to the about.user.managers.first_name UDM field. |
resources.owner.ldap_person.manager.hire_time |
about.user.managers.hire_date |
Iterate through log field resources, then resources.owner.ldap_person.manager.hire_time log field is mapped to the about.user.managers.hire_date UDM field. |
resources.owner.ldap_person.manager.job_title |
about.user.managers.title |
Iterate through log field resources, then resources.owner.ldap_person.manager.job_title log field is mapped to the about.user.managers.title UDM field. |
resources.owner.ldap_person.manager.ldap_cn |
about.user.managers.attribute.labels[process_user_ldap_person_ldap_cn] |
Iterate through log field resources, then resources.owner.ldap_person.manager.ldap_cn log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_ldap_cn] UDM field. |
resources.owner.ldap_person.manager.ldap_dn |
about.user.managers.attribute.labels[process_user_ldap_person_ldap_dn] |
Iterate through log field resources, then resources.owner.ldap_person.manager.ldap_dn log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_ldap_dn] UDM field. |
resources.owner.ldap_person.manager.labels |
about.user.managers.attribute.labels[process_user_ldap_person_labels] |
Iterate through log field resources, then resources.owner.ldap_person.manager.labels log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_labels] UDM field. |
resources.owner.ldap_person.manager.last_login_time |
about.user.managers.last_login_time |
Iterate through log field resources, then resources.owner.ldap_person.manager.last_login_time log field is mapped to the about.user.managers.last_login_time UDM field. |
resources.owner.ldap_person.manager.leave_time |
about.user.managers.attribute.labels[process_user_ldap_person_leave_time] |
Iterate through log field resources, then resources.owner.ldap_person.manager.leave_time log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_leave_time] UDM field. |
resources.owner.ldap_person.manager.modified_time |
about.user.managers.attribute.labels[process_user_ldap_person_modified_time] |
Iterate through log field resources, then resources.owner.ldap_person.manager.modified_time log field is mapped to the about.user.managers.attribute.labels[process_user_ldap_person_modified_time] UDM field. |
resources.owner.ldap_person.manager.office_location |
about.user.managers.office_address.name |
Iterate through log field resources, then resources.owner.ldap_person.manager.office_location log field is mapped to the about.user.managers.office_address.name UDM field. |
resources.owner.ldap_person.manager.surname |
about.user.managers.last_name |
Iterate through log field resources, then resources.owner.ldap_person.manager.surname log field is mapped to the about.user.managers.last_name UDM field. |
resource.owner.groups.domain |
about.user.group_identifiers |
Iterate through log field resources, theniterate through log field resource.owner.groups, then resource.owner.groups.domain log field is mapped to the about.user.group_identifiers UDM field. |
vulnerabilities.is_exploit_available |
additional.fields[vulnerabilities_is_exploit_available] |
Iterate through log field vulnerabilities, then vulnerabilities.is_exploit_available log field is mapped to the additional.fields[vulnerabilities_is_exploit_available] UDM field. |
vulnerabilities.is_fix_available |
additional.fields[vulnerabilities_is_fix_available] |
Iterate through log field vulnerabilities, then vulnerabilities.is_fix_available log field is mapped to the additional.fields[vulnerabilities_is_fix_available] UDM field. |
vulnerabilities.cve.title |
additional.fields[vulnerabilities_cve_title] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.title log field is mapped to the additional.fields[vulnerabilities_cve_title] UDM field. |
vulnerabilities.cve.references |
additional.fields[vulnerabilities_cve_references] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.cve.references, then vulnerabilities.cve.references log field is mapped to the additional.fields[vulnerabilities_cve_references] UDM field. |
vulnerabilities.first_seen_time |
extensions.vulns.vulnerabilities.first_found |
Iterate through log field vulnerabilities, thenif the vulnerabilities.cve.created_time log field value is not empty then, vulnerabilities.cve.created_time log field is mapped to the extensions.vulns.vulnerabilities.first_found UDM field. Else, vulnerabilities.first_seen_time log field is mapped to the extensions.vulns.vulnerabilities.first_found UDM field. |
vulnerabilities.last_seen_time |
extensions.vulns.vulnerabilities.last_found |
Iterate through log field vulnerabilities, then vulnerabilities.last_seen_time log field is mapped to the extensions.vulns.vulnerabilities.last_found UDM field. |
vulnerabilities.cve.desc |
extensions.vulns.vulnerabilities.cve_description |
Iterate through log field vulnerabilities, then vulnerabilities.cve.desc log field is mapped to the extensions.vulns.vulnerabilities.cve_description UDM field. |
vulnerabilities.kb_article_list.os.name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.os.name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_name] UDM field. |
vulnerabilities.kb_article_list.os.type |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.os.type log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type] UDM field. |
vulnerabilities.kb_article_list.os.type_id |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type_id] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.os.type_id log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type_id] UDM field. |
vulnerabilities.kb_article_list.product.name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.product.name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_name] UDM field. |
vulnerabilities.kb_article_list.product.uid |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_uid] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.product.uid log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_uid] UDM field. |
vulnerabilities.kb_article_list.product.vendor_name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_vendor_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.product.vendor_name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_vendor_name] UDM field. |
vulnerabilities.kb_article_list.title |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_title] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.title log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_title] UDM field. |
vulnerabilities.kb_article_list.uid |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_uid] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.uid log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_uid] UDM field. |
vulnerabilities.kb_article_list.bulletin |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_bulletin] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.bulletin log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_bulletin] UDM field. |
vulnerabilities.kb_article_list.classification |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_classification] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.classification log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_classification] UDM field. |
vulnerabilities.kb_article_list.created_time |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_created_time] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.created_time log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_created_time] UDM field. |
vulnerabilities.kb_article_list.severity |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_severity] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.severity log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_severity] UDM field. |
vulnerabilities.kb_article_list.size |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_size] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.size log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_size] UDM field. |
vulnerabilities.kb_article_list.src_url |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_src_url] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.src_url log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_src_url] UDM field. |
vulnerabilities.kb_article_list.is_superseded |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_is_superseded] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, then vulnerabilities.kb_article_list.is_superseded log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_is_superseded] UDM field. |
vulnerabilities.remediation.reference |
additional.fields[vulnerabilities_remediation_references] |
Iterate through log field vulnerabilities, then vulnerabilities.remediation.reference log field is mapped to the additional.fields[vulnerabilities_remediation_references] UDM field. |
vulnerabilities.affected_code.end_line |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_end_line] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.end_line log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_end_line] UDM field. |
vulnerabilities.affected_code.start_line |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_start_line] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.start_line log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_start_line] UDM field. |
vulnerabilities.affected_code.file.mime_type |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_mime_type] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.mime_type log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_mime_type] UDM field. |
vulnerabilities.affected_code.file.path |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_path] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.path log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_path] UDM field. |
vulnerabilities.affected_code.file.modified_time |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_modified_time] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.modified_time log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_modified_time] UDM field. |
vulnerabilities.affected_code.file.created_time |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_created_time] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.created_time log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_created_time] UDM field. |
vulnerabilities.affected_code.file.accessed_time |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_accessed_time] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.accessed_time log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_accessed_time] UDM field. |
vulnerabilities.affected_code.file.name |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.name log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_name] UDM field. |
vulnerabilities.affected_code.file.size |
extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_size] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, then vulnerabilities.affected_code.file.size log field is mapped to the extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_size] UDM field. |
vulnerabilities.affected_packages.architecture |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_architecture] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.architecture log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_architecture] UDM field. |
vulnerabilities.affected_packages.epoch |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_epoch] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.epoch log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_epoch] UDM field. |
vulnerabilities.affected_packages.name |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_name] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.name log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_name] UDM field. |
vulnerabilities.affected_packages.release |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_release] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.release log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_release] UDM field. |
vulnerabilities.affected_packages.version |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_version] |
Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, then vulnerabilities.affected_packages.version log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_version] UDM field. |
vulnerabilities.cwe.uid |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.uid log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid] UDM field. |
vulnerabilities.cwe.caption |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.caption log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption] UDM field. |
vulnerabilities.cwe.src_url |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.src_url log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url] UDM field. |
vulnerabilities.cve.cwe.uid |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_uid] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.uid log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid] UDM field. |
vulnerabilities.cve.cwe.caption |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_caption] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.caption log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption] UDM field. |
vulnerabilities.cve.cwe.src_url |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_src_url] |
Iterate through log field vulnerabilities, then vulnerabilities.cwe.src_url log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url] UDM field. |
vulnerabilities.cve.epass.created_time |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_created_time] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.epass.created_time log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_created_time] UDM field. |
vulnerabilities.cve.epass.score |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_score] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.epass.score log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_score] UDM field. |
vulnerabilities.cve.epass.percentile |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_percentile] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.epass.percentile log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_percentile] UDM field. |
vulnerabilities.cve.epass.version |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_version] |
Iterate through log field vulnerabilities, then vulnerabilities.cve.epass.version log field is mapped to the extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_version] UDM field. |
Field mapping reference: OCSF FTP Activity
The following table lists the log fields for theFTP Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
proxy.svc_name |
intermediary.application |
|
proxy.uid |
intermediary.asset_id |
|
proxy.domain |
intermediary.domain.name |
|
proxy.hostname |
intermediary.hostname |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
proxy.intermediate_ips |
intermediary.ip |
|
proxy.ip |
intermediary.ip |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
proxy.location.city |
intermediary.location.city |
|
proxy.location.country |
intermediary.location.country_or_region |
|
proxy.location.region |
intermediary.location.name |
|
proxy.location.coordinates.1 |
intermediary.location.region_coordinates.latitude |
|
proxy.location.coordinates.0 |
intermediary.location.region_coordinates.longitude |
|
proxy.mac |
intermediary.mac |
|
proxy.port |
intermediary.port |
|
metadata.logged_time |
metadata.collected_timestamp |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
message |
metadata.description |
|
time |
metadata.event_timestamp |
|
class_name |
metadata.log_type |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.uid |
metadata.product_log_id |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
connection_info.protocol_ver_id |
network.application_protocol_version |
If the connection_info.protocol_ver_id log field value is equal to 4 then, the network.application_protocol_version UDM field is set to Internet Protocol version 4 (IPv4). Else, if connection_info.protocol_ver_id log field value is equal to 6 then, the network.application_protocol_version UDM field is set to Internet Protocol version 6 (IPv6). |
connection_info.direction_id |
network.direction |
If the connection_info.direction_id log field value is equal to 1 then, the network.direction UDM field is set to INBOUND. Else, if connection_info.direction_id log field value is equal to 2 then, the network.direction UDM field is set to OUTBOUND. Else, the network.direction UDM field is set to UNKNOWN_DIRECTION. |
command |
network.ftp.command |
|
api.response.code |
network.http.response_code |
|
connection_info.protocol_num |
network.ip_protocol |
If the connection_info.protocol_num log field value is equal to 1 then, the network.ip_protocol UDM field is set to ICMP. Else, if connection_info.protocol_num log field value is equal to 2 then, the network.ip_protocol UDM field is set to IGMP. Else, if connection_info.protocol_num log field value is equal to 6 then, the network.ip_protocol UDM field is set to TCP. Else, if connection_info.protocol_num log field value is equal to 17 then, the network.ip_protocol UDM field is set to UDP. Else, if connection_info.protocol_num log field value is equal to 41 then, the network.ip_protocol UDM field is set to IP6IN4. Else, if connection_info.protocol_num log field value is equal to 47 then, the network.ip_protocol UDM field is set to GRE. Else, if connection_info.protocol_num log field value is equal to 50 then, the network.ip_protocol UDM field is set to ESP. Else, if connection_info.protocol_num log field value is equal to 58 then, the network.ip_protocol UDM field is set to ICMP6. Else, if connection_info.protocol_num log field value is equal to 88 then, the network.ip_protocol UDM field is set to EIGRP. Else, if connection_info.protocol_num log field value is equal to 97 then, the network.ip_protocol UDM field is set to ETHERIP. Else, if connection_info.protocol_num log field value is equal to 103 then, the network.ip_protocol UDM field is set to PIM. Else, if connection_info.protocol_num log field value is equal to 112 then, the network.ip_protocol UDM field is set to VRRP. Else, if connection_info.protocol_num log field value is equal to 132 then, the network.ip_protocol UDM field is set to SCTP. Else, the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL. |
traffic.bytes_out |
network.sent_bytes |
|
traffic.packets_out |
network.sent_packets |
|
traffic.bytes_in |
network.received_bytes |
|
traffic.packets_in |
network.received_packets |
|
actor.session.uid |
network.session_id |
|
tls.cipher |
network.tls.cipher |
|
tls.certificate.issuer |
network.tls.client.certificate.issuer |
|
tls.certificate.expiration_time |
network.tls.client.certificate.not_after |
|
tls.certificate.created_time |
network.tls.client.certificate.not_before |
|
tls.certificate.serial_number |
network.tls.client.certificate.serial |
|
tls.certificate.subject |
network.tls.client.certificate.subject |
|
tls.certificate.version |
network.tls.client.certificate.version |
|
tls.ja3_hash.value |
network.tls.client.ja3 |
|
tls.ja3s_hash.value |
network.tls.client.ja3s |
|
tls.sni |
network.tls.client.server_name |
|
tls.client_ciphers |
network.tls.client.supported_ciphers |
|
tls.version |
network.tls.version_protocol |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.domain |
principal.administrative_domain |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.hostname |
principal.asset.hostname |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.region |
principal.asset.location.name |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.domain |
principal.asset.network_domain |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.uid |
principal.asset.product_object_id |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
src_endpoint.domain |
principal.domain.name |
|
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
|
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.name |
principal.user.company_name |
|
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.user.org.ou_name |
principal.user.department |
|
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
|
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.full_name |
principal.user.user_display_name |
|
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.user.name |
principal.user.userid |
|
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.uid |
principal.user.product_object_id |
|
disposition_id |
security_result.action |
If the disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 4 then, the security_result.action UDM field is set to QUARANTINE. Else, the security_result.action UDM field is set to UNKNOWN_ACTION. |
disposition |
security_result.action_details |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
malware.uid |
security_result.threat_id |
|
malware.name |
security_result.threat_name |
|
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.svc_name |
target.application |
|
dst_endpoint.uid |
target.asset_id |
|
dst_endpoint.domain |
target.domain.name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
|
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
type_uid |
security_result.detection_fields[type_uid] |
|
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
tls.certificate.uid |
additional.fields[tls_certificate_uid] |
|
traffic.chunks |
additional.fields[traffic_chunks] |
|
traffic.chunks_in |
additional.fields[traffic_chunks_in] |
|
traffic.chunks_out |
additional.fields[traffic_chunks_out] |
Field mapping reference: OCSF Detection Finding
The following table lists the log fields for theDetection Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Detection Finding then, the metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
|
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.uid |
metadata.product_log_id |
|
time |
metadata.event_timestamp |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
|
message |
metadata.description |
|
observables.value |
observer.file.names |
|
observables.value |
observer.file.vhash |
|
observables.value |
observer.hostname |
|
observables.value |
observer.ip |
|
observables.value |
observer.mac |
|
observables.value |
observer.process.file.names |
|
observables.value |
observer.resource.product_object_id |
|
observables.value |
observer.url |
|
observables.value |
observer.user.email_addresses |
|
observables.value |
observer.user.userid |
|
resources.group.desc |
about.group.attribute.labels[resources_{index}_group_desc] |
Iterate through log field resources, thenif the resources.group.desc log field value is not empty then, the about.group.attribute.labels.key UDM field is set to resources_{index}_group_desc and resources.group.desc log field is mapped to the about.group.attribute.labels UDM field. |
resources.group.domain |
about.administrative_domain |
Iterate through log field resources, thenif the resources.group.domain log field value is not empty then,. |
resources.group.name |
about.group.group_display_name |
Iterate through log field resources, thenif the resources.group.name log field value is not empty then, resources.group.name log field is mapped to the about.group.group_display_name UDM field. |
resources.group.privileges |
about.group.attribute.labels[resources_{index}group_privileges{index1}] |
Iterate through log field resources, theniterate through log field resources.group.privileges, thenif the resources.group.privileges log field value is not empty then, the about.group.attribute.labels.key UDM field is set to resources_{index}group_privileges{index1} and resources.group.privileges log field is mapped to the about.group.attribute.labels UDM field. |
resources.group.type |
about.group.attribute.labels[resource_{index}_group_type] |
Iterate through log field resources, thenif the resources.group.type log field value is not empty then, the about.group.attribute.labels.key UDM field is set to resources_{index}_group_type and resources.group.type log field is mapped to the about.group.attribute.labels UDM field. |
resources.group.uid |
about.group.product_object_id |
Iterate through log field resources, thenif the resources.group.uid log field value is not empty then, resources.group.uid log field is mapped to the about.group.product_object_id UDM field. |
resources.owner.account.name |
about.user.attribute.labels[resources_{index}_owner_account_name] |
Iterate through log field resources, thenif the resources.owner.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_account_name and resources.owner.account.name log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.account.type |
about.user.attribute.labels[resources_{index}_owner_account_type] |
Iterate through log field resources, thenif the resources.owner.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_account_type and resources.owner.account.type log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.account.type_id |
about.user.attribute.labels[resources_{index}_owner_account_type_id] |
Iterate through log field resources, thenif the resources.owner.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_account_type_id and resources.owner.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.account.uid |
about.user.attribute.labels[resources_{index}_owner_account_uid] |
Iterate through log field resources, thenif the resources.owner.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_account_uid and resources.owner.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.credential_uid |
about.user.attribute.labels[resources_{index}_owner_credential_uid] |
Iterate through log field resources, thenif the resources.owner.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_credential_uid and resources.owner.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.domain |
about.user.attribute.labels[resources_{index}_owner_domain] |
Iterate through log field resources, thenif the resources.owner.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_domain and resources.owner.domain log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.email_addr |
about.user.email_addresses |
Iterate through log field resources, thenif the resources.owner.email_addr log field value is not empty then, resources.owner.email_addr log field is mapped to the about.user.email_addresses UDM field. |
resources.owner.full_name |
about.user.user_display_name |
Iterate through log field resources, thenif the resources.owner.full_name log field value is not empty then, resources.owner.full_name log field is mapped to the about.user.user_display_name UDM field. |
resources.owner.groups.desc |
about.user.attributes.labels[resources_%{index}_owner_groups_%{index1}_desc] |
Iterate through log field resources, theniterate through log field resources.owner.groups, thenif the resources.owner.groups.desc log field value is not empty then, resources_%{index}_owner_groups_%{index1}_desc log field is mapped to the about.user.attribute.labels.key UDM field and resources.owner.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.groups.domain |
about.user.attributes.labels[resources_%{index}_owner_groups_%{index1}_domain] |
Iterate through log field resources, theniterate through log field resources.owner.groups, thenif the resources.owner.groups.domain log field value is not empty then, resources_%{index}_owner_groups_%{index1}_domain log field is mapped to the about.user.attribute.labels.key UDM field and resources.owner.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.groups.name |
about.user.group_identifiers |
Iterate through log field resources, theniterate through log field resources.owner.groups, thenif the resources.owner.groups.name log field value is not empty then, resources.owner.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
resources.owner.groups.privileges |
about.user.attributes.labels[resources_%{index}_owner_groups_%{index1}_privileges_%{index2}] |
Iterate through log field resources, theniterate through log field resources.owner.groups, thenif the resources.owner.groups.privileges log field value is not empty then, resources_%{index}_owner_groups_%{index1}_privileges_%{index2} log field is mapped to the about.user.attribute.labels.key UDM field and resources.owner.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.groups.type |
about.user.attributes.labels[resources_%{index}_owner_groups_%{index1}_type] |
Iterate through log field resources, theniterate through log field resources.owner.groups, thenif the resources.owner.groups.type log field value is not empty then, resources_%{index}_owner_groups%{ind}_type log field is mapped to the about.user.attribute.labels.key UDM field and resources.owner.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.groups.uid |
about.user.attributes.labels[resources_%{index}_owner_groups_%{index1}_uid] |
Iterate through log field resources, theniterate through log field resources.owner.groups, thenif the resources.owner.groups.uid log field value is not empty then, resources_%{index}_owner_groups%{ind}_uid log field is mapped to the about.user.attribute.labels.key UDM field and resources.owner.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.cost_center |
about.user.attribute.labels[resources_{index}_owner_ldap_person_cost_center] |
Iterate through log field resources, thenif the resources.owner.ldap_person.created_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_cost_center and resources.owner.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.created_time |
about.user.attribute.creation_time |
Iterate through log field resources, thenif the resources.owner.ldap_person.created_time log field value is not empty then, resources.owner.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
resources.owner.ldap_person.deleted_time |
about.user.attribute.labels[resources_{index}_owner_ldap_person_deleted_time] |
Iterate through log field resources, thenif the resources.owner.ldap_person.created_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_deleted_time and resources.owner.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.email_addrs, thenif the resources.owner.ldap_person.email_addrs log field value is not empty then, resources.owner.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
resources.owner.ldap_person.employee_uid |
about.user.employee_id |
Iterate through log field resources, thenif the resources.owner.ldap_person.employee_id log field value is not empty then, resources.owner.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
resources.owner.ldap_person.given_name |
about.user.first_name |
Iterate through log field resources, thenif the resources.owner.ldap_person.given_name log field value is not empty then, resources.owner.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
resources.owner.ldap_person.hire_time |
about.user.hire_date |
Iterate through log field resources, thenif the resources.owner.ldap_person.hire_time log field value is not empty then, resources.owner.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
resources.owner.ldap_person.job_title |
about.user.title |
Iterate through log field resources, thenif the resources.owner.ldap_person.job_title log field value is not empty then, resources.owner.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
resources.owner.ldap_person.labels |
about.user.attribute.labels[resources_{index}owner_ldap_person_label{index1}] |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.labels, thenif the resources.owner.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}owner_ldap_person_label{index1} and resources.owner.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.last_login_time |
about.user.last_login_time |
Iterate through log field resources, thenif the resources.owner.ldap_person.last_login_time log field value is not empty then, resources.owner.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
resources.owner.ldap_person.ldap_cn |
about.user.attribute.labels[resources_{index}_owner_ldap_person_ldap_cn] |
Iterate through log field resources, thenif the resources.owner.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_ldap_cn and resources.owner.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.ldap_dn |
about.user.attribute.labels[resources_{index}_owner_ldap_person_ldap_dn] |
Iterate through log field resources, thenif the resources.owner.ldap_person.ldap_dn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_ldap_dn and resources.owner.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.leave_time |
about.user.termination_date |
Iterate through log field resources, thenif the resources.owner.ldap_person.leave_time log field value is not empty then, resources.owner.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
resources.owner.ldap_person.modified_time |
about.user.attribute.last_update_time |
Iterate through log field resources, thenif the resources.owner.ldap_person.modified_time log field value is not empty then, resources.owner.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
resources.owner.ldap_person.office_location |
about.user.office_address.name |
Iterate through log field resources, thenif the resources.owner.ldap_person.office_location log field value is not empty then, resources.owner.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
resources.owner.ldap_person.surname |
about.user.last_name |
Iterate through log field resources, thenif the resources.owner.ldap_person.surname log field value is not empty then, resources.owner.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
resources.owner.ldap_person.manager.account.name |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_account_name] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_account_name and resources.owner.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.account.type |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_account_type] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_account_type and resources.owner.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_account_type_id] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_account_type_id and resources.owner.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_account_uid] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_account_uid and resources.owner.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_credential_uid] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_credential_uid and resources.owner.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.domain |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_domain] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_domain and resources.owner.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.email_addr log field value is not empty then, resources.owner.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
resources.owner.ldap_person.manager.full_name |
about.user.managers.user_display_name |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.full_name log field value is not empty then, resources.owner.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
resources.owner.ldap_person.manager.groups.desc |
about.user.managers.attribute.labels[resources_%{index}_owner_ldap_person_manager_group_%{index1}_desc] |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.manager.groups, thenif the resources.owner.ldap_person.manager.groups.desc log field value is not empty then, resources_%{index}_owner_ldap_person_manager_group_%{index1}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and resources.owner.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.groups.domain |
about.user.managers.attribute.labels[resources_%{index}_owner_ldap_person_manager_group_%{index1}_domain] |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.manager.groups, thenif the resources.owner.ldap_person.manager.groups.domain log field value is not empty then, resources_%{index}_owner_ldap_person_manager_group_%{index1}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and resources.owner.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.groups.name |
about.user.managers.attribute.labels[resources_%{index}_owner_ldap_person_manager_group_%{index1}_name] |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.manager.groups, thenif the resources.owner.ldap_person.manager.groups.name log field value is not empty then, resources_%{index}_owner_ldap_person_manager_group_%{index1}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and resources.owner.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.groups.privileges |
about.user.managers.attribute.labels[resources_%{index}_owner_ldap_person_manager_group_%{index1}_privileges_%{index2}] |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.manager.groups, theniterate through log field resources.owner.ldap_person.manager.groups.privileges, thenif the resources.owner.ldap_person.manager.groups.privileges log field value is not empty then, resources_%{index}_owner_ldap_person_manager_group_%{index1}_privileges_%{index2} log field is mapped to the about.user.managers.attribute.labels.key UDM field and resources.owner.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.groups.type |
about.user.managers.attribute.labels[resources_%{index}_owner_ldap_person_manager_group_%{index1}_type] |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.manager.groups, thenif the resources.owner.ldap_person.manager.groups.type log field value is not empty then, resources_%{index}_owner_ldap_person_manager_group_%{index1}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and resources.owner.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.groups.uid |
about.user.managers.attribute.labels[resources_%{index}_owner_ldap_person_manager_group_%{index1}_uid] |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.manager.groups, thenif the resources.owner.ldap_person.manager.groups.uid log field value is not empty then, resources_%{index}_owner_ldap_person_manager_group_%{index1}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and resources.owner.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.name |
about.user.managers.userid |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.name log field value is not empty then, resources.owner.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
resources.owner.ldap_person.manager.type |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_type] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_type and resources.owner.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
Iterate through log field resources, thenif the resource_details.owner.ldap_person.manager.type_id log field value is equal to 1 then, Else, if resource_details.owner.ldap_person.manager.type_id log field value is equal to 2 then, Else, if resource_details.owner.ldap_person.manager.type_id log field value is equal to 3 then, Else, if resource_details.owner.ldap_person.manager.type_id log field value is equal to 0 then, Else,. |
resources.owner.ldap_person.manager.uid |
about.user.managers.product_object_id |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.uid log field value is not empty then, resources.owner.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
resources.owner.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_uid_alt] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_uid_alt and resources.owner.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.org.name |
about.user.managers.company_name |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.org.name log field value is not empty then, resources.owner.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
resources.owner.ldap_person.manager.org.ou_name |
about.user.managers.department |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.org.ou_name log field value is not empty then, resources.owner.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
resources.owner.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_org_ou_uid] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_org_ou_uid and resources.owner.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[resources_{index}_owner_ldap_person_manager_org_uid] |
Iterate through log field resources, thenif the resources.owner.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_manager_org_uid and resources.owner.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
resources.owner.ldap_person.location.city |
about.user.personal_address.city |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.city log field value is not empty then, resources.owner.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
resources.owner.ldap_person.location.continent |
about.user.attribute.labels[resources_{index}_owner_ldap_person_location_continent] |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_location_continent and resources.owner.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field resources, theniterate through log field resources.owner.ldap_person.location.coordinates, thenif the index value is equal to 0 then, resources.owner.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, resources.owner.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
resources.owner.ldap_person.location.country |
about.user.office_address.country_or_region |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.country log field value is not empty then, resources.owner.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
resources.owner.ldap_person.location.desc |
about.user.office_address.name |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.desc log field value is not empty then, resources.owner.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
resources.owner.ldap_person.location.is_on_premises |
about.user.attribute.labels[resources_{index}_owner_ldap_person_location_is_on_premises] |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_location_is_on_premises and resources.owner.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.location.isp |
about.user.attribute.labels[resources_{index}_owner_ldap_person_location_isp] |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_location_isp and resources.owner.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.location.postal_code |
about.user.attribute.labels[resources_{index}_owner_ldap_person_location_postal_code] |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_location_postal_code and resources.owner.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.location.provider |
about.user.attribute.labels[resources_{index}_owner_ldap_person_location_provider] |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_ldap_person_location_provider and resources.owner.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.ldap_person.location.region |
about.user.office_address.state |
Iterate through log field resources, thenif the resources.owner.ldap_person.location.region log field value is not empty then, resources.owner.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
resources.owner.name |
about.user.userid |
Iterate through log field resources, thenif the resources.owner.name log field value is not empty then, resources.owner.name log field is mapped to the about.user.userid UDM field. |
resources.owner.org.name |
about.user.company_name |
Iterate through log field resources, thenif the resources.owner.org.name log field value is not empty then, resources.owner.org.name log field is mapped to the about.user.company_name UDM field. |
resources.owner.org.ou_name |
about.user.department |
Iterate through log field resources, thenif the resources.owner.org.ou_name log field value is not empty then, resources.owner.org.ou_name log field is mapped to the about.user.department UDM field. |
resources.owner.org.ou_uid |
about.user.attribute.labels[resources_{index}_owner_org_ou_uid] |
Iterate through log field resources, thenif the resources.owner.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_org_ou_uid and resources.owner.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.org.uid |
about.user.attribute.labels[resources_{index}_owner_org_uid] |
Iterate through log field resources, thenif the resources.owner.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_org_uid and resources.owner.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.type |
about.user.attribute.labels[resources_{index}_owner_type] |
Iterate through log field resources, thenif the resources.owner.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_type and resources.owner.type log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.type_id |
about.user.attribute.labels[resources_{index}_owner_type_id] |
Iterate through log field resources, thenif the resources.owner.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_type_id and resources.owner.type_id log field is mapped to the about.user.attribute.labels UDM field. |
resources.owner.uid |
about.user.product_object_id |
Iterate through log field resources, thenif the resources.owner.uid log field value is not empty then, resources.owner.uid log field is mapped to the about.user.product_object_id UDM field. |
resources.owner.uid_alt |
about.user.attribute.labels[resources_{index}_owner_uid_alt] |
Iterate through log field resources, thenif the resources.owner.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to resources_{index}_owner_uid_alt and resources.owner.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
finding_info.analytic.category |
security_result.detection_fields[finding_info_analytic_category] |
If the finding_info.analytic.category log field value is not empty then, the security_result.detection_fields.key UDM field is set to finding_info_analytic_category and finding_info.analytic.category log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.analytic.desc |
security_result.rule_labels[finding_info_analytic_desc] |
If the finding_info.analytic.desc log field value is not empty then, the security_result.rule_labels.key UDM field is set to finding_info_analytic_desc and finding_info.analytic.desc log field is mapped to the security_result.rule_labels UDM field. |
finding_info.analytic.name |
security_result.analytics_metadata.analytic |
If the finding_info.analytic.name log field value is not empty then, finding_info.analytic.name log field is mapped to the security_result.analytics_metadata.analytic UDM field. |
finding_info.analytic.type |
security_result.rule_type |
If the finding_info.analytic.type log field value is not empty then, finding_info.analytic.type log field is mapped to the security_result.rule_type UDM field. |
finding_info.analytic.type_id |
security_result.rule_labels[finding_info_analytic_type_id] |
If the finding_info.analytic.type_id log field value is not empty then, the security_result.rule_labels.key UDM field is set to finding_info_analytic_type_id and finding_info.analytic.type_id log field is mapped to the security_result.rule_labels UDM field. |
finding_info.analytic.uid |
security_result.rule_id |
If the finding_info.analytic.uid log field value is not empty then, finding_info.analytic.uid log field is mapped to the security_result.rule_id UDM field. |
finding_info.analytic.version |
security_result.detection_fields[finding_info_analytic_version] |
If the finding_info.analytic.version log field value is not empty then, the security_result.detection_fields.key UDM field is set to finding_info_analytic_version and finding_info.analytic.version log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.sub_technique.name log field value is not empty then, finding_info.attacks.sub_technique.name log field is mapped to the security_result.attack_details.techniques.subtechnique_name UDM field. |
finding_info.attacks.sub_technique.src_url |
security_result.detection_fields[finding_info_attacks_%{index}_subtechnique_src_url] |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.sub_technique.src_url log field value is not empty then, %{finding_info_attacks_%{index}_subtechnique_src_url} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.attacks.subtechnique.src_url log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.sub_technique.uid log field value is not empty then, finding_info.attacks.sub_technique.uid log field is mapped to the security_result.attack_details.techniques.subtechnique_id UDM field. |
finding_info.attacks.tactic.name |
security_result.attack_details.tactics.name |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.tactic.name log field value is not empty then, finding_info.attacks.tactics.name log field is mapped to the security_result.attack_details.tactics.name UDM field. |
finding_info.attacks.tactic.src_url |
security_result.detection_fields[finding_info_attacks_%{index}_tactic_src_url] |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.tactic.src_url log field value is not empty then, %{finding_info_attacks_%{index}_tactic_src_url} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.attacks.tactic.src_url log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.attacks.tactic.uid |
security_result.attack_details.tactics.id |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.tactic.uid log field value is not empty then, finding_info.attacks.tactic.uid log field is mapped to the security_result.attack_details.tactics.id UDM field. |
finding_info.attacks.technique.name |
security_result.attack_details.techniques.name |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.technique.name log field value is not empty then, finding_info.attacks.technique.name log field is mapped to the security_result.attack_details.techniques.name UDM field. |
finding_info.attacks.technique.src_url |
security_result.detection_fields[finding_info_attacks_%{index}_technique_src_url] |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.technique.src_url log field value is not empty then, %{finding_info_attacks_%{index}_technique_src_url} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.attacks.technique.src_url log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.attacks.technique.uid |
security_result.attack_details.techniques.id |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.technique.uid log field value is not empty then, finding_info.attacks.technique.uid log field is mapped to the security_result.attack_details.techniques.id UDM field. |
finding_info.attacks.version |
security_result.attack_details.version |
Iterate through log field finding_info.attacks, thenif the finding_info.attacks.version log field value is not empty then, finding_info.attacks.version log field is mapped to the security_result.attack_details.version UDM field. |
finding_info.created_time |
security_result.detection_fields[finding_info_created_time] |
If the finding_info.created_time log field value is not empty then, the security_result.detection_fields.key UDM field is set to finding_info_created_time and finding_info.created_time log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.data_sources |
security_result.detection_fields[finding_info_data_sources] |
Iterate through log field finding_info.data_sources, thenif the finding_info.data_sources log field value is not empty then, %{finding_info_data_sources_%{index}} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.data_sources log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.desc |
security_result.description |
If the finding_info.desc log field value is not empty then, finding_info.desc log field is mapped to the security_result.description UDM field. |
finding_info.first_seen_time |
security_result.first_discovered_time |
If the finding_info.first_seen_time log field value is not empty then, finding_info.first_seen_time log field is mapped to the security_result.first_discovered_time UDM field. |
finding_info.kill_chain.phase |
security_result.detection_fields[finding_info_kill_chain_%{index}_phase] |
Iterate through log field finding_info.kill_chain, thenif the finding_info.kill_chain.phase log field value is not empty then, %{finding_info_kill_chain_%{index}_phase} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.kill_chain.phase log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.kill_chain.phase_id |
security_result.detection_fields[finding_info_kill_chain_%{index}_phase_id] |
Iterate through log field finding_info.kill_chain, thenif the finding_info.kill_chain.phase_id log field value is not empty then, %{finding_info_kill_chain_%{index}_phase_id} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.kill_chain.phase_id log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.last_seen_time |
security_result.last_discovered_time |
If the finding_info.last_seen_time log field value is not empty then, finding_info.last_seen_time log field is mapped to the security_result.last_discovered_time UDM field. |
finding_info.modified_time |
security_result.last_updated_time |
If the finding_info.last_seen_time log field value is not empty then, finding_info.modified_time log field is mapped to the security_result.last_updated_time UDM field. |
finding_info.related_analytics.category |
security_result.detection_fields[finding_info_related_analytic_%{index}_category] |
Iterate through log field finding_info.related_analytics, thenif the finding_info.related_analytics.category log field value is not empty then, finding_info_related_analytic_%{index}_category log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_analytics.category log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_analytics.desc |
security_result.rule_labels[finding_info_related_analytic_%{index}_desc] |
Iterate through log field finding_info.related_analytics, thenif the finding_info.related_analytics.desc log field value is not empty then, finding_info_related_analytic_%{index}_desc log field is mapped to the security_result.rule_labels.key UDM field and finding_info.related_analytics.desc log field is mapped to the security_result.rule_labels UDM field. |
finding_info.related_analytics.name |
security_result.analytics_metadata.analytic |
Iterate through log field finding_info.related_analytics, thenif the finding_info.related_analytics.name log field value is not empty then, finding_info.related_analytics.name log field is mapped to the security_result.analytics_metadata.analytic UDM field. |
finding_info.related_analytics.type |
security_result.rule_type |
Iterate through log field finding_info.related_analytics, thenif the finding_info.related_analytics.type log field value is not empty then, finding_info.related_analytics.type log field is mapped to the security_result.rule_type UDM field. |
finding_info.related_analytics.type_id |
security_result.rule_labels[finding_info_related_analytic_%{index}_type_id] |
Iterate through log field finding_info.related_analytics, thenif the finding_info.related_analytics.type_id log field value is not empty then, finding_info_related_analytic_%{index}_type_id log field is mapped to the security_result.rule_labels.key UDM field and finding_info.related_analytics.type_id log field is mapped to the security_result.rule_labels UDM field. |
finding_info.related_analytics.uid |
security_result.rule_id |
Iterate through log field finding_info.related_analytics, thenif the finding_info.related_analytics.uid log field value is not empty then, finding_info.related_analytics.uid log field is mapped to the security_result.rule_id UDM field. |
finding_info.related_analytics.version |
security_result.detection_fields[finding_info_related_analytic_%{index}_version] |
Iterate through log field finding_info.related_analytics, thenif the finding_info.related_analytics.version log field value is not empty then, finding_info_related_analytic_%{index}_version log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_analytics.version log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.attacks.sub_technique.name |
security_result.attack_details.techniques.subtechnique_name |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.sub_technique.name log field value is not empty then, finding_info.related_events.attacks.sub_technique.name log field is mapped to the security_result.attack_details.techniques.subtechnique_name UDM field. |
finding_info.related_events.attacks.sub_technique.src_url |
security_result.detection_fields[finding_info_related_events_%{index}_attacks_%{index1}_technique_src_url] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.sub_technique.src_url log field value is not empty then, finding_info_related_events_%{index}_attacks_%{index1}_technique_src_url log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.attacks.sub_technique.src_url log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.attacks.sub_technique.uid |
security_result.attack_details.techniques.subtechnique_id |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.sub_technique.uid log field value is not empty then, finding_info.related_events.attacks.sub_technique.uid log field is mapped to the security_result.attack_details.techniques.subtechnique_id UDM field. |
finding_info.related_events.attacks.tactic.name |
security_result.attack_details.tactics.name |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.tactic.name log field value is not empty then, finding_info.related_events.attacks.tactic.name log field is mapped to the security_result.attack_details.tactics.name UDM field. |
finding_info.related_events.attacks.tactic.src_url |
security_result.detection_fields[finding_info_related_events_%{index}_attacks_%{index1}_tactic_src_url] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.tactic.src_url log field value is not empty then, finding_info_related_events_%{index}_attacks_%{index1}_tactic_src_url log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.attacks.tactic.src_url log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.attacks.tactic.uid |
security_result.attack_details.tactics.id |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.tactic.uid log field value is not empty then, finding_info.related_events.attacks.tactic.uid log field is mapped to the security_result.attack_details.tactics.id UDM field. |
finding_info.related_events.attacks.technique.name |
security_result.attack_details.techniques.name |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.technique.name log field value is not empty then, finding_info.related_events.attacks.technique.name log field is mapped to the security_result.attack_details.techniques.name UDM field. |
finding_info.related_events.attacks.technique.src_url |
security_result.detection_fields[finding_info_related_events_%{index}_attacks_%{index1}_technique_src_url] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.technique.src_url log field value is not empty then, finding_info_related_events_%{index}_attacks_%{index1}_technique_src_url log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.attacks.technique.src_url log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.attacks.technique.uid |
security_result.attack_details.techniques.id |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.technique.uid log field value is not empty then, finding_info.related_events.attacks.technique.uid log field is mapped to the security_result.attack_details.techniques.id UDM field. |
finding_info.related_events.attacks.version |
security_result.detection_fields[finding_info_related_events_%{index}_attacks_%{index1}_version] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.attacks, thenif the finding_info.related_events.attacks.version log field value is not empty then, finding_info_related_events_%{index}_attacks_%{index1}_version log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.attacks.version log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.kill_chain.phase |
security_result.detection_fields[finding_info_kill_chain_%{index}_phase] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.kill_chain, thenif the finding_info.related_events.kill_chain.phase log field value is not empty then, %{finding_info_kill_chain_%{index}_phase} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.kill_chain.phase log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.kill_chain.phase_id |
security_result.detection_fields[finding_info_kill_chain_%{index}_phase_id] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.kill_chain, thenif the finding_info.related_events.kill_chain.phase_id log field value is not empty then, %{finding_info_kill_chain_%{index}_phase_id} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.kill_chain.phase_id log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.observables.name |
security_result.detection_fields[finding_info_related_events_%{index}_observables_%{index1}_name] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.observables, thenif the finding_info.related_events.observables.name log field value is not empty then, finding_info_related_events_%{index}_observables_%{index1}_name log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.observables.name log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.observables.reputation.base_score |
security_result.detection_fields[finding_info_related_events_%{index}_observables_%{index1}_reputation_base_score] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.observables, thenif the finding_info.related_events.observables.reputation.base_score log field value is not empty then, finding_info_related_events_%{index}_observables_%{index1}_reputation_base_score log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.observables.reputation.base_score log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.observables.reputation.provider |
security_result.detection_fields[finding_info_related_events_%{index}_observables_%{index1}_reputation_provider] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.observables, thenif the finding_info.related_events.observables.reputation.provider log field value is not empty then, finding_info_related_events_%{index}_observables_%{index1}_reputation_provider log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.observables.reputation.provider log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.observables.reputation.score |
security_result.detection_fields[finding_info_related_events_%{index}_observables_%{index1}_reputation_score] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.observables, thenif the finding_info.related_events.observables.reputation.score log field value is not empty then, finding_info_related_events_%{index}_observables_%{index1}_reputation_score log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.observables.reputation.score log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.observables.reputation.score_id |
security_result.detection_fields[finding_info_related_events_%{index}_observables_%{index1}_reputation_score_id] |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.observables, thenif the finding_info.related_events.observables.reputation.score_id log field value is not empty then, finding_info_related_events_%{index}_observables_%{index1}_reputation_score_id log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.observables.reputation.score_id log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.observables.type |
finding_info_related_events_%{index}_observables_%{index1}_name |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.observables, thenif the finding_info.related_events.observables.name log field value is not empty then, finding_info_related_events_%{index}_observables_%{index1}_name log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.observables.name log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.observables.type_id |
finding_info_related_events_%{index}_observables_%{index1}_type_id |
Iterate through log field finding_info.related_events, theniterate through log field finding_info.related_events.observables, thenif the finding_info.related_events.observables.name log field value is not empty then, finding_info_related_events_%{index}_observables_%{index1}_name log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.observables.name log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.product_uid |
security_result.detection fields[finding_info_related_events_%{index}_product_uid] |
Iterate through log field finding_info.related_events, thenif the finding_info.related_events.product_uid log field value is not empty then, finding_info_related_events_%{index}_product_uid log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.product_uid log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.type |
security_result.detection fields[finding_info_related_events_%{index}_type] |
Iterate through log field finding_info.related_events, thenif the finding_info.related_events.type log field value is not empty then, finding_info_related_events_%{index}_type log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.type log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.type_uid |
security_result.detection fields[finding_info_related_events_%{index}_type_uid] |
Iterate through log field finding_info.related_events, thenif the finding_info.related_events.type_uid log field value is not empty then, finding_info_related_events_%{index}_type_uid log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.type_uid log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.related_events.uid |
security_result.detection fields[finding_info_related_events_%{index}_uid] |
Iterate through log field finding_info.related_events, thenif the finding_info.related_events.uid log field value is not empty then, finding_info_related_events_%{index}_uid log field is mapped to the security_result.detection_fields.key UDM field and finding_info.related_events.uid log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.src_url |
security_result.url_back_to_product |
If the finding_info.src_url log field value is not empty then, finding_info.src_url log field is mapped to the security_result.url_back_to_product UDM field. |
finding_info.title |
security_result.summary |
If the finding_info.title log field value is not empty then, finding_info.title log field is mapped to the security_result.summary UDM field. |
finding_info.types |
security_result.detection_fields[finding_info_types_{index}] |
Iterate through log field finding_info.types, thenif the finding_info.types log field value is not empty then, finding_info_types_%{index} log field is mapped to the security_result.detection_fields.key UDM field and finding_info.types log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.uid |
security_result.detection_fields [finding_info_uid] |
If the finding_info.uid log field value is not empty then, the security_result.detection_fields.key UDM field is set to finding_info_uid and finding_info.uid log field is mapped to the security_result.detection_fields.value UDM field. |
finding_info.product_uid |
security_result.detection_fields[finding_info_product_uid] |
If the finding_info.product_uid log field value is not empty then, the security_result.detection_fields.key UDM field is set to finding_info_product_uid and finding_info.product_uid log field is mapped to the security_result.detection_fields.value UDM field. |
actor.authorizations.decision |
principal.securty_result.action |
Iterate through log field actor.authorizations, thenif the actor.authorizations.decision log field value is not empty and if the actor.authorizations.decision log field value is equal to allow then, the principal.security_result.action UDM field is set to ALLOW. Else, if actor.authorizations.decision log field value is equal to deny then, the principal.security_result.action UDM field is set to BLOCK. Else, the principal.security_result.action UDM field is set to UNKNOWN_ACTION. |
actor.authorizations.policy.desc |
principal.security_result.description |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.desc log field value is not empty then, actor.authorizations.policy.desc log field is mapped to the principal.security_result.description UDM field. |
actor.authorizations.policy.group.desc |
principal.security_result.about.resource.attribute.labels[actor_authorizations_%{index}_policy_group_desc] |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.group.desc log field value is not empty then, actor_authorizations_%{index}_policy_group_desc log field is mapped to the principal.security_result.about.resource.attribute.labels.key UDM field and actor.authorizations.policy.group.desc log field is mapped to the principal.security_result.about.resource.attribute.labels UDM field. |
actor.authorizations.policy.group.domain |
principal.security_result.about.resource.attribute.labels[actor_authorizations_%{index}_policy_group_domain] |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.group.domain log field value is not empty then, actor_authorizations_%{index}_policy_group_domain log field is mapped to the principal.security_result.about.resource.attribute.labels.key UDM field and actor.authorizations.policy.group.domain log field is mapped to the principal.security_result.about.resource.attribute.labels UDM field. |
actor.authorizations.policy.group.name |
principal.security_result.about.resource.attribute.labels[actor_authorizations_%{index}_policy_group_name] |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.group.name log field value is not empty then, actor_authorizations_%{index}_policy_group_name log field is mapped to the principal.security_result.about.resource.attribute.labels.key UDM field and actor.authorizations.policy.group.name log field is mapped to the principal.security_result.about.resource.attribute.labels UDM field. |
actor.authorizations.policy.group.privileges |
principal.security_result.about.resource.attribute.labels[actor_authorizations_%{index}_policy_group_privileges_%{index1}] |
Iterate through log field actor.authorizations, theniterate through log field actor.authorizations.policy.group.privileges, thenif the actor.authorizations.policy.group.privileges log field value is not empty then, actor_authorizations_%{index}_policy_group_privileges_%{index1} log field is mapped to the principal.security_result.about.resource.attribute.labels.key UDM field and actor.authorizations.policy.group.privileges log field is mapped to the principal.security_result.about.resource.attribute.labels UDM field. |
actor.authorizations.policy.group.type |
principal.security_result.about.resource.attribute.labels[actor_authorizations_%{index}_policy_group_type] |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.group.type log field value is not empty then, actor_authorizations_%{index}_policy_group_type log field is mapped to the principal.security_result.about.resource.attribute.labels.key UDM field and actor.authorizations.policy.group.type log field is mapped to the principal.security_result.about.resource.attribute.labels UDM field. |
actor.authorizations.policy.group.uid |
principal.security_result.about.resource.attribute.labels[actor_authorizations_%{index}_policy_group_uid] |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.group.uid log field value is not empty then, actor_authorizations_%{index}_policy_group_uid log field is mapped to the principal.security_result.about.resource.attribute.labels.key UDM field and actor.authorizations.policy.group.uid log field is mapped to the principal.security_result.about.resource.attribute.labels UDM field. |
actor.authorizations.policy.name |
principal.security_result.rule_name |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.name log field value is not empty then, actor.authorizations.policy.name log field is mapped to the principal.security_result.rule_name UDM field. |
actor.authorizations.policy.uid |
principal.security_result.rule_id |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.uid log field value is not empty then, actor.authorizations.policy.uid log field is mapped to the principal.security_result.rule_id UDM field. |
actor.authorizations.policy.version |
principal.security_result.rule_version |
Iterate through log field actor.authorizations, thenif the actor.authorizations.policy.version log field value is not empty then, actor.authorizations.policy.version log field is mapped to the principal.security_result.rule_version UDM field. |
actor.idp.name |
principal.user.attribute.labels[actor_idp_name] |
If the actor.idp.name log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_idp_name and actor.idp.name log field is mapped to the principal.user.attribute.labels UDM field. |
actor.idp.uid |
principal.user.attribute.labels[actor_idp_uid] |
If the actor.idp.uid log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_idp_uid and actor.idp.uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.invoked_by |
principal.application |
If the actor.invoked_by log field value is not empty then, actor.invoked_by log field is mapped to the principal.application UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.created_time |
additional.fields[actor_process_created_time] |
If the actor.process.created_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_created_time and actor.process.created_time log field is mapped to the additional.fields UDM field. |
actor.process.file.accessed_time |
additional.fields[actor_process_file_accessed_time] |
If the actor.process.file.accessed_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_accessed_time and actor.process.file.accessed_time log field is mapped to the additional.fields UDM field. |
actor.process.file.accessor.account.name |
about.user.attribute.labels[actor_process_file_accessor_account_name] |
If the actor.process.file.accessor.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_account_name and actor.process.file.accessor.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.account.type |
about.user.attribute.labels[actor_process_file_accessor_account_type] |
If the actor.process.file.accessor.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_account_type and actor.process.file.accessor.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.account.type_id |
about.user.attribute.labels[actor_process_file_accessor_account_type_id] |
If the actor.process.file.accessor.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_account_type_id and actor.process.file.accessor.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.account.uid |
about.user.attribute.labels[actor_process_file_accessor_account_uid] |
If the actor.process.file.accessor.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_account_uid and actor.process.file.accessor.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.credential_uid |
about.user.attribute.labels[actor_process_file_accessor_credential_uid] |
If the actor.process.file.accessor.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_credential_uid and actor.process.file.accessor.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.domain |
about.user.attribute.labels[actor_process_file_accessor_domain] |
If the actor.process.file.accessor.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_domain and actor.process.file.accessor.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.email_addr |
about.user.email_addresses |
If the actor.process.file.accessor.email_addr log field value is not empty then, actor.process.file.accessor.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.file.accessor.full_name |
about.user.user_display_name |
If the actor.process.file.accessor.full_name log field value is not empty then, actor.process.file.accessor.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.file.accessor.groups.desc |
about.user.attribute.labels[actor_process_file_accessor_groups_%{index}_desc] |
Iterate through log field actor.process.file.accessor.groups, thenif the actor.process.file.accessor.groups.desc log field value is not empty then, actor_process_file_accessor_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.accessor.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.groups.domain |
about.user.attribute.labels[actor_process_file_accessor_groups_%{index}_domain] |
Iterate through log field actor.process.file.accessor.groups, thenif the actor.process.file.accessor.groups.domain log field value is not equal to actor_process_file_accessor_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.accessor.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.file.accessor.groups, thenif the actor.proces.file.accessor.groups.name log field value is not empty then, actor.process.file.accessor.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.file.accessor.groups.privileges |
about.user.attribute.labels[actor_process_file_accessor_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.file.accessor.groups, theniterate through log field actor.process.file.accessor.groups.privileges, thenif the actor.proces.file.accessor.groups.privileges log field value is not empty then, actor_process_file_accessor_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.accessor.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.groups.type |
about.user.attribute.labels[actor_process_file_accessor_groups_%{index}_type] |
Iterate through log field actor.process.file.accessor.groups, thenif the actor.process.file.accessor.groups.type log field value is not empty then, actor_process_file_accessor_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.accessor.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.groups.uid |
about.user.attribute.labels[actor_process_file_accessor_groups_%{index}_uid] |
Iterate through log field actor.process.file.accessor.groups, thenif the actor.process.file.accessor.groups.uid log field value is not empty then, actor_process_file_accessor_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.accessor.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.cost_center |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_cost_center] |
If the actor.process.file.accessor.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_cost_center and actor.process.file.accessor.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.file.accessor.ldap_person.created_time log field value is not empty then, actor.process.file.accessor.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.file.accessor.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_deleted_time] |
If the actor.process.file.accessor.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_deleted_time and actor.process.file.accessor.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.file.accessor.ldap_person.email_addrs, thenif the actor.process.file.accessor.ldap_person.email_addrs log field value is not empty then, actor.process.file.accessor.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.file.accessor.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.file.accessor.ldap_person.employee_id log field value is not empty then, actor.process.file.accessor.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.file.accessor.ldap_person.given_name |
about.user.first_name |
If the actor.process.file.accessor.ldap_person.given_name log field value is not empty then, actor.process.file.accessor.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.file.accessor.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.file.accessor.ldap_person.hire_time log field value is not empty then, actor.process.file.accessor.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.file.accessor.ldap_person.job_title |
about.user.title |
If the actor.process.file.accessor.ldap_person.job_title log field value is not empty then, actor.process.file.accessor.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.file.accessor.ldap_person.labels |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_label_{index}] |
Iterate through log field actor.process.file.accessor.ldap_person.labels, thenif the actor.proces.file.accessor.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_labels_{index} and actor.process.file.accessor.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.file.accessor.ldap_person.last_login_time log field value is not empty then, actor.process.file.accessor.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.file.accessor.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_ldap_cn] |
If the actor.process.file.accessor.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_ldap_cn and actor.process.file.accessor.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_ldap_dn] |
If the actor.process.file.accessor.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_ldap_dn and actor.process.file.accessor.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.file.accessor.ldap_person.leave_time log field value is not empty then, actor.process.file.accessor.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.file.accessor.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.file.accessor.ldap_person.modified_time log field value is not empty then, actor.process.file.accessor.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.file.accessor.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.file.accessor.ldap_person.office_location log field value is not empty then, actor.process.file.accessor.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.file.accessor.ldap_person.surname |
about.user.last_name |
If the actor.process.file.accessor.ldap_person.surname log field value is not empty then, actor.process.file.accessor.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.file.accessor.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_account_name] |
If the actor.process.file.accessor.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_account_name and actor.process.file.accessor.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_account_type] |
If the actor.process.file.accessor.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_account_type and actor.process.file.accessor.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_account_type_id] |
If the actor.process.file.accessor.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_account_type_id and actor.process.file.accessor.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_account_uid] |
If the actor.process.file.accessor.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_account_uid and actor.process.file.accessor.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_credential_uid] |
If the actor.process.file.accessor.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_credential_uid and actor.process.file.accessor.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_domain] |
If the actor.process.file.accessor.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_domain and actor.process.file.accessor.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.file.accessor.ldap_person.manager.email_addr log field value is not empty then, actor.process.file.accessor.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.file.accessor.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.file.accessor.ldap_person.manager.full_name log field value is not empty then, actor.process.file.accessor.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.file.accessor.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.file.accessor.ldap_person.manager.groups, thenif the actor.process.file.accessor.ldap_person.manager.groups.desc log field value is not empty then, actor_process_file_accessor_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.accessor.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.file.accessor.ldap_person.manager.groups, thenif the actor.process.file.accessor.ldap_person.manager.groups.domain log field value is not empty then, actor_process_file_accessor_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.accessor.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.file.accessor.ldap_person.manager.groups, thenif the actor.process.file.accessor.ldap_person.manager.groups.name log field value is not empty then, actor_process_file_accessor_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.accessor.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.file.accessor.ldap_person.manager.groups, theniterate through log field actor.process.file.accessor.ldap_person.manager.groups.privileges, thenif the actor.proces.file.accessor.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_file_accessor_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.accessor.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.file.accessor.ldap_person.manager.groups, thenif the actor.proces.file.accessor.ldap_person.manager.groups.type log field value is not empty then, actor_process_file_accessor_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.accessor.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.file.accessor.ldap_person.manager.groups, thenif the actor.proces.file.accessor.ldap_person.manager.groups.uid log field value is not empty then, actor_process_file_accessor_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.accessor.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.file.accessor.ldap_person.manager.name log field value is not empty then, actor.process.file.accessor.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.file.accessor.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_type] |
If the actor.process.file.accessor.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_type and actor.process.file.accessor.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.file.accessor.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.file.accessor.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.file.accessor.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.file.accessor.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.file.accessor.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.file.accessor.ldap_person.manager.uid log field value is not empty then, actor.process.file.accessor.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.file.accessor.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_uid_alt] |
If the actor.process.file.accessor.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_uid_alt and actor.process.file.accessor.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.file.accessor.ldap_person.manager.org.name log field value is not empty then, actor.process.file.accessor.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.file.accessor.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.file.accessor.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.file.accessor.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.file.accessor.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_org_ou_uid] |
If the actor.process.file.accessor.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_org_ou_uid and actor.process.file.accessor.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_file_accessor_ldap_person_manager_org_uid] |
If the actor.process.file.accessor.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_manager_org_uid and actor.process.file.accessor.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.file.accessor.ldap_person.location.city log field value is not empty then, actor.process.file.accessor.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.file.accessor.ldap_person.location.continent |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_location_continent] |
If the actor.process.file.accessor.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_location_continent and actor.process.file.accessor.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.file.accessor.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.file.accessor.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.file.accessor.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.file.accessor.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.file.accessor.ldap_person.location.country log field value is not empty then, actor.process.file.accessor.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.file.accessor.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.file.accessor.ldap_person.location.desc log field value is not empty then, actor.process.file.accessor.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.file.accessor.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_location_is_on_premises] |
If the actor.process.file.accessor.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_location_is_on_premises and actor.process.file.accessor.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.location.isp |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_location_isp] |
If the actor.process.file.accessor.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_location_isp and actor.process.file.accessor.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_location_postal_code] |
If the actor.process.file.accessor.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_location_postal_code and actor.process.file.accessor.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.location.provider |
about.user.attribute.labels[actor_process_file_accessor_ldap_person_location_provider] |
If the actor.process.file.accessor.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_ldap_person_location_provider and actor.process.file.accessor.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.file.accessor.ldap_person.location.region log field value is not empty then, actor.process.file.accessor.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.file.accessor.name |
about.user.userid |
If the actor.proces.file.accessor.name log field value is not empty then, actor.process.file.accessor.name log field is mapped to the about.user.userid UDM field. |
actor.process.file.accessor.org.name |
about.user.company_name |
If the actor.proces.file.accessor.org.name log field value is not empty then, actor.process.file.accessor.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.file.accessor.org.ou_name |
about.user.department |
If the actor.proces.file.accessor.org.ou_name log field value is not empty then, actor.process.file.accessor.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.file.accessor.org.ou_uid |
about.user.attribute.labels[actor_process_file_accessor_org_ou_uid] |
If the actor.process.file.accessor.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_org_ou_uid and actor.process.file.accessor.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.org.uid |
about.user.attribute.labels[actor_process_file_accessor_org_uid] |
If the actor.process.file.accessor.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_org_uid and actor.process.file.accessor.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.type |
about.user.attribute.labels[actor_process_file_accessor_type] |
If the actor.process.file.accessor.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_type and actor.process.file.accessor.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.type_id |
about.user.attribute.labels[actor_process_file_accessor_type_id] |
If the actor.process.file.accessor.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_type_id and actor.process.file.accessor.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.accessor.uid |
about.user.product_object_id |
If the actor.process.file.accessor.uid log field value is not empty then, actor.process.file.accessor.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.file.accessor.uid_alt |
about.user.attribute.labels[actor_process_file_accessor_uid_alt] |
If the actor.process.file.accessor.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_accessor_uid_alt and actor.process.file.accessor.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.attributes |
additional.fields[actor_process_file_attributes] |
If the actor.process.file.attributes log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_attributes and actor.process.file.attributes log field is mapped to the additional.fields UDM field. |
actor.process.file.company_name |
additional.fields[actor_process_file_company_name] |
If the actor.process.file.company_name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_company_name and actor.process.file.company_name log field is mapped to the additional.fields UDM field. |
actor.process.file.confidentiality |
additional.fields[actor_process_file_confidentiality] |
If the actor.process.file.confidentiality log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_confidentiality and actor.process.file.confidentiality log field is mapped to the additional.fields UDM field. |
actor.process.file.confidentiality_id |
additional.fields[actor_process_file_confidentiality_id] |
If the actor.process.file.confidentiality_id log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_confidentiality_id and actor.process.file.confidentiality_id log field is mapped to the additional.fields UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.creator.account.name |
about.user.attribute.labels[actor_process_file_creator_account_name] |
If the actor.process.file.creator.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_account_name and actor.process.file.creator.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.account.type |
about.user.attribute.labels[actor_process_file_creator_account_type] |
If the actor.process.file.creator.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_account_type and actor.process.file.creator.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.account.type_id |
about.user.attribute.labels[actor_process_file_creator_account_type_id] |
If the actor.process.file.creator.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_account_type_id and actor.process.file.creator.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.account.uid |
about.user.attribute.labels[actor_process_file_creator_account_uid] |
If the actor.process.file.creator.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_account_uid and actor.process.file.creator.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.credential_uid |
about.user.attribute.labels[actor_process_file_creator_credential_uid] |
If the actor.process.file.creator.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_credential_uid and actor.process.file.creator.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.domain |
about.user.attribute.labels[actor_process_file_creator_domain] |
If the actor.process.file.creator.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_domain and actor.process.file.creator.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.email_addr |
about.user.email_addresses |
If the actor.process.file.creator.email_addr log field value is not empty then, actor.process.file.creator.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.file.creator.full_name |
about.user.user_display_name |
If the actor.process.file.creator.full_name log field value is not empty then, actor.process.file.creator.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.file.creator.groups.desc |
about.user.attribute.labels[actor_process_file_creator_groups_%{index}_desc] |
Iterate through log field actor.process.file.creator.groups, thenif the actor.process.file.creator.groups.desc log field value is not empty then, actor_process_file_creator_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.creator.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.groups.domain |
about.user.attribute.labels[actor_process_file_creator_groups_%{index}_domain] |
Iterate through log field actor.process.file.creator.groups, thenif the actor.process.file.creator.groups.domain log field value is not equal to actor_process_file_creator_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.creator.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.file.creator.groups, thenif the actor.proces.file.creator.groups.name log field value is not empty then, actor.process.file.creator.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.file.creator.groups.privileges |
about.user.attribute.labels[actor_process_file_creator_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.file.creator.groups, theniterate through log field actor.process.file.creator.groups.privileges, thenif the actor.proces.file.creator.groups.privileges log field value is not empty then, actor_process_file_creator_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.creator.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.groups.type |
about.user.attribute.labels[actor_process_file_creator_groups_%{index}_type] |
Iterate through log field actor.process.file.creator.groups, thenif the actor.process.file.creator.groups.type log field value is not empty then, actor_process_file_creator_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.creator.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.groups.uid |
about.user.attribute.labels[actor_process_file_creator_groups_%{index}_uid] |
Iterate through log field actor.process.file.creator.groups, thenif the actor.process.file.creator.groups.uid log field value is not empty then, actor_process_file_creator_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.creator.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.cost_center |
about.user.attribute.labels[actor_process_file_creator_ldap_person_cost_center] |
If the actor.process.file.creator.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_cost_center and actor.process.file.creator.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.file.creator.ldap_person.created_time log field value is not empty then, actor.process.file.creator.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.file.creator.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_file_creator_ldap_person_deleted_time] |
If the actor.process.file.creator.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_deleted_time and actor.process.file.creator.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.file.creator.ldap_person.email_addrs, thenif the actor.process.file.creator.ldap_person.email_addrs log field value is not empty then, actor.process.file.creator.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.file.creator.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.file.creator.ldap_person.employee_id log field value is not empty then, actor.process.file.creator.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.file.creator.ldap_person.given_name |
about.user.first_name |
If the actor.process.file.creator.ldap_person.given_name log field value is not empty then, actor.process.file.creator.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.file.creator.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.file.creator.ldap_person.hire_time log field value is not empty then, actor.process.file.creator.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.file.creator.ldap_person.job_title |
about.user.title |
If the actor.process.file.creator.ldap_person.job_title log field value is not empty then, actor.process.file.creator.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.file.creator.ldap_person.labels |
about.user.attribute.labels[actor_process_file_creator_ldap_person_label_{index}] |
Iterate through log field actor.process.file.creator.ldap_person.labels, thenif the actor.proces.file.creator.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_labels_{index} and actor.process.file.creator.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.file.creator.ldap_person.last_login_time log field value is not empty then, actor.process.file.creator.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.file.creator.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_file_creator_ldap_person_ldap_cn] |
If the actor.process.file.creator.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_ldap_cn and actor.process.file.creator.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_file_creator_ldap_person_ldap_dn] |
If the actor.process.file.creator.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_ldap_dn and actor.process.file.creator.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.file.creator.ldap_person.leave_time log field value is not empty then, actor.process.file.creator.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.file.creator.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.file.creator.ldap_person.modified_time log field value is not empty then, actor.process.file.creator.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.file.creator.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.file.creator.ldap_person.office_location log field value is not empty then, actor.process.file.creator.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.file.creator.ldap_person.surname |
about.user.last_name |
If the actor.process.file.creator.ldap_person.surname log field value is not empty then, actor.process.file.creator.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.file.creator.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_account_name] |
If the actor.process.file.creator.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_account_name and actor.process.file.creator.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_account_type] |
If the actor.process.file.creator.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_account_type and actor.process.file.creator.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_account_type_id] |
If the actor.process.file.creator.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_account_type_id and actor.process.file.creator.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_account_uid] |
If the actor.process.file.creator.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_account_uid and actor.process.file.creator.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_credential_uid] |
If the actor.process.file.creator.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_credential_uid and actor.process.file.creator.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_domain] |
If the actor.process.file.creator.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_domain and actor.process.file.creator.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.file.creator.ldap_person.manager.email_addr log field value is not empty then, actor.process.file.creator.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.file.creator.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.file.creator.ldap_person.manager.full_name log field value is not empty then, actor.process.file.creator.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.file.creator.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.file.creator.ldap_person.manager.groups, thenif the actor.process.file.creator.ldap_person.manager.groups.desc log field value is not empty then, actor_process_file_creator_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.creator.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.file.creator.ldap_person.manager.groups, thenif the actor.process.file.creator.ldap_person.manager.groups.domain log field value is not empty then, actor_process_file_creator_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.creator.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.file.creator.ldap_person.manager.groups, thenif the actor.process.file.creator.ldap_person.manager.groups.name log field value is not empty then, actor_process_file_creator_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.creator.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.file.creator.ldap_person.manager.groups, theniterate through log field actor.process.file.creator.ldap_person.manager.groups.privileges, thenif the actor.proces.file.creator.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_file_creator_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.creator.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.file.creator.ldap_person.manager.groups, thenif the actor.proces.file.creator.ldap_person.manager.groups.type log field value is not empty then, actor_process_file_creator_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.creator.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.file.creator.ldap_person.manager.groups, thenif the actor.proces.file.creator.ldap_person.manager.groups.uid log field value is not empty then, actor_process_file_creator_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.creator.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.file.creator.ldap_person.manager.name log field value is not empty then, actor.process.file.creator.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.file.creator.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_type] |
If the actor.process.file.creator.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_type and actor.process.file.creator.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.file.creator.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.file.creator.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.file.creator.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.file.creator.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.file.creator.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.file.creator.ldap_person.manager.uid log field value is not empty then, actor.process.file.creator.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.file.creator.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_uid_alt] |
If the actor.process.file.creator.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_uid_alt and actor.process.file.creator.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.file.creator.ldap_person.manager.org.name log field value is not empty then, actor.process.file.creator.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.file.creator.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.file.creator.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.file.creator.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.file.creator.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_org_ou_uid] |
If the actor.process.file.creator.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_org_ou_uid and actor.process.file.creator.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_file_creator_ldap_person_manager_org_uid] |
If the actor.process.file.creator.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_manager_org_uid and actor.process.file.creator.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.file.creator.ldap_person.location.city log field value is not empty then, actor.process.file.creator.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.file.creator.ldap_person.location.continent |
about.user.attribute.labels[actor_process_file_creator_ldap_person_location_continent] |
If the actor.process.file.creator.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_location_continent and actor.process.file.creator.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.file.creator.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.file.creator.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.file.creator.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.file.creator.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.file.creator.ldap_person.location.country log field value is not empty then, actor.process.file.creator.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.file.creator.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.file.creator.ldap_person.location.desc log field value is not empty then, actor.process.file.creator.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.file.creator.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_file_creator_ldap_person_location_is_on_premises] |
If the actor.process.file.creator.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_location_is_on_premises and actor.process.file.creator.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.location.isp |
about.user.attribute.labels[actor_process_file_creator_ldap_person_location_isp] |
If the actor.process.file.creator.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_location_isp and actor.process.file.creator.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_file_creator_ldap_person_location_postal_code] |
If the actor.process.file.creator.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_location_postal_code and actor.process.file.creator.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.location.provider |
about.user.attribute.labels[actor_process_file_creator_ldap_person_location_provider] |
If the actor.process.file.creator.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_ldap_person_location_provider and actor.process.file.creator.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.file.creator.ldap_person.location.region log field value is not empty then, actor.process.file.creator.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.file.creator.name |
about.user.userid |
If the actor.proces.file.creator.name log field value is not empty then, actor.process.file.creator.name log field is mapped to the about.user.userid UDM field. |
actor.process.file.creator.org.name |
about.user.company_name |
If the actor.proces.file.creator.org.name log field value is not empty then, actor.process.file.creator.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.file.creator.org.ou_name |
about.user.department |
If the actor.proces.file.creator.org.ou_name log field value is not empty then, actor.process.file.creator.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.file.creator.org.ou_uid |
about.user.attribute.labels[actor_process_file_creator_org_ou_uid] |
If the actor.process.file.creator.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_org_ou_uid and actor.process.file.creator.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.org.uid |
about.user.attribute.labels[actor_process_file_creator_org_uid] |
If the actor.process.file.creator.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_org_uid and actor.process.file.creator.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.type |
about.user.attribute.labels[actor_process_file_creator_type] |
If the actor.process.file.creator.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_type and actor.process.file.creator.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.type_id |
about.user.attribute.labels[actor_process_file_creator_type_id] |
If the actor.process.file.creator.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_type_id and actor.process.file.creator.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.creator.uid |
about.user.product_object_id |
If the actor.process.file.creator.uid log field value is not empty then, actor.process.file.creator.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.file.creator.uid_alt |
about.user.attribute.labels[actor_process_file_creator_uid_alt] |
If the actor.process.file.creator.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_creator_uid_alt and actor.process.file.creator.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.desc |
additional.fields[actor_process_file_desc] |
If the actor.process.file.desc log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_desc and actor.process.file.desc log field is mapped to the additional.fields UDM field. |
actor.process.file.hashes.algortihm |
additional.fields[actor_process_file_hash_algorithm_{index}_value] |
Iterate through log field actor.process.file.hashes, thenif the actor.process.file.hashes.algorithm log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_hashes_{index}_algorithm and actor.process.file.hashes.algorithm log field is mapped to the additional.fields UDM field. |
actor.process.file.hashes.value |
principal.process.file.md5 |
Iterate through log field actor.process.file.hashes, thenif the index value is equal to 0 and if the actor.process.file.hashes.algorithm_id log field value is not empty and if the actor.process.file.hashes.algorithm_id log field value is equal to 1 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.md5 UDM field. Else, if actor.process.file.hashes.algorithm_id log field value is equal to 2 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.sha1 UDM field. Else, if actor.process.file.hashes.algorithm_id log field value is equal to 3 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.sha256 UDM field. Else, the additional.fields.key UDM field is set to actor_process_file_hash_{index}value and actor.process.file.hashes.value log field is mapped to the additional.fields UDM field. Else, the additional.fields.key UDM field is set to actor_process_file_hash{index}_value and actor.process.file.hashes.value log field is mapped to the additional.fields UDM field. |
actor.process.file.is_system |
additional.fields[actor_process_file_is_system] |
If the actor.process.file.is_system log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_is_system and actor.process.file.is_system log field is mapped to the additional.fields UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.modifier.account.name |
about.user.attribute.labels[actor_process_file_modifier_account_name] |
If the actor.process.file.modifier.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_account_name and actor.process.file.modifier.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.account.type |
about.user.attribute.labels[actor_process_file_modifier_account_type] |
If the actor.process.file.modifier.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_account_type and actor.process.file.modifier.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.account.type_id |
about.user.attribute.labels[actor_process_file_modifier_account_type_id] |
If the actor.process.file.modifier.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_account_type_id and actor.process.file.modifier.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.account.uid |
about.user.attribute.labels[actor_process_file_modifier_account_uid] |
If the actor.process.file.modifier.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_account_uid and actor.process.file.modifier.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.credential_uid |
about.user.attribute.labels[actor_process_file_modifier_credential_uid] |
If the actor.process.file.modifier.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_credential_uid and actor.process.file.modifier.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.domain |
about.user.attribute.labels[actor_process_file_modifier_domain] |
If the actor.process.file.modifier.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_domain and actor.process.file.modifier.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.email_addr |
about.user.email_addresses |
If the actor.process.file.modifier.email_addr log field value is not empty then, actor.process.file.modifier.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.file.modifier.full_name |
about.user.user_display_name |
If the actor.process.file.modifier.full_name log field value is not empty then, actor.process.file.modifier.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.file.modifier.groups.desc |
about.user.attribute.labels[actor_process_file_modifier_groups_%{index}_desc] |
Iterate through log field actor.process.file.modifier.groups, thenif the actor.process.file.modifier.groups.desc log field value is not empty then, actor_process_file_modifier_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.modifier.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.groups.domain |
about.user.attribute.labels[actor_process_file_modifier_groups_%{index}_domain] |
Iterate through log field actor.process.file.modifier.groups, thenif the actor.process.file.modifier.groups.domain log field value is not equal to actor_process_file_modifier_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.modifier.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.file.modifier.groups, thenif the actor.proces.file.modifier.groups.name log field value is not empty then, actor.process.file.modifier.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.file.modifier.groups.privileges |
about.user.attribute.labels[actor_process_file_modifier_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.file.modifier.groups, theniterate through log field actor.process.file.modifier.groups.privileges, thenif the actor.proces.file.modifier.groups.privileges log field value is not empty then, actor_process_file_modifier_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.modifier.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.groups.type |
about.user.attribute.labels[actor_process_file_modifier_groups_%{index}_type] |
Iterate through log field actor.process.file.modifier.groups, thenif the actor.process.file.modifier.groups.type log field value is not empty then, actor_process_file_modifier_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.modifier.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.groups.uid |
about.user.attribute.labels[actor_process_file_modifier_groups_%{index}_uid] |
Iterate through log field actor.process.file.modifier.groups, thenif the actor.process.file.modifier.groups.uid log field value is not empty then, actor_process_file_modifier_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.modifier.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.cost_center |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_cost_center] |
If the actor.process.file.modifier.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_cost_center and actor.process.file.modifier.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.file.modifier.ldap_person.created_time log field value is not empty then, actor.process.file.modifier.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.file.modifier.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_deleted_time] |
If the actor.process.file.modifier.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_deleted_time and actor.process.file.modifier.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.file.modifier.ldap_person.email_addrs, thenif the actor.process.file.modifier.ldap_person.email_addrs log field value is not empty then, actor.process.file.modifier.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.file.modifier.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.file.modifier.ldap_person.employee_id log field value is not empty then, actor.process.file.modifier.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.file.modifier.ldap_person.given_name |
about.user.first_name |
If the actor.process.file.modifier.ldap_person.given_name log field value is not empty then, actor.process.file.modifier.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.file.modifier.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.file.modifier.ldap_person.hire_time log field value is not empty then, actor.process.file.modifier.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.file.modifier.ldap_person.job_title |
about.user.title |
If the actor.process.file.modifier.ldap_person.job_title log field value is not empty then, actor.process.file.modifier.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.file.modifier.ldap_person.labels |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_label_{index}] |
Iterate through log field actor.process.file.modifier.ldap_person.labels, thenif the actor.proces.file.modifier.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_labels_{index} and actor.process.file.modifier.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.file.modifier.ldap_person.last_login_time log field value is not empty then, actor.process.file.modifier.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.file.modifier.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_ldap_cn] |
If the actor.process.file.modifier.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_ldap_cn and actor.process.file.modifier.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_ldap_dn] |
If the actor.process.file.modifier.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_ldap_dn and actor.process.file.modifier.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.file.modifier.ldap_person.leave_time log field value is not empty then, actor.process.file.modifier.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.file.modifier.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.file.modifier.ldap_person.modified_time log field value is not empty then, actor.process.file.modifier.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.file.modifier.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.file.modifier.ldap_person.office_location log field value is not empty then, actor.process.file.modifier.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.file.modifier.ldap_person.surname |
about.user.last_name |
If the actor.process.file.modifier.ldap_person.surname log field value is not empty then, actor.process.file.modifier.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.file.modifier.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_account_name] |
If the actor.process.file.modifier.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_account_name and actor.process.file.modifier.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_account_type] |
If the actor.process.file.modifier.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_account_type and actor.process.file.modifier.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_account_type_id] |
If the actor.process.file.modifier.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_account_type_id and actor.process.file.modifier.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_account_uid] |
If the actor.process.file.modifier.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_account_uid and actor.process.file.modifier.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_credential_uid] |
If the actor.process.file.modifier.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_credential_uid and actor.process.file.modifier.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_domain] |
If the actor.process.file.modifier.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_domain and actor.process.file.modifier.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.file.modifier.ldap_person.manager.email_addr log field value is not empty then, actor.process.file.modifier.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.file.modifier.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.file.modifier.ldap_person.manager.full_name log field value is not empty then, actor.process.file.modifier.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.file.modifier.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.file.modifier.ldap_person.manager.groups, thenif the actor.process.file.modifier.ldap_person.manager.groups.desc log field value is not empty then, actor_process_file_modifier_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.modifier.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.file.modifier.ldap_person.manager.groups, thenif the actor.process.file.modifier.ldap_person.manager.groups.domain log field value is not empty then, actor_process_file_modifier_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.modifier.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.file.modifier.ldap_person.manager.groups, thenif the actor.process.file.modifier.ldap_person.manager.groups.name log field value is not empty then, actor_process_file_modifier_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.modifier.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.file.modifier.ldap_person.manager.groups, theniterate through log field actor.process.file.modifier.ldap_person.manager.groups.privileges, thenif the actor.proces.file.modifier.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_file_modifier_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.modifier.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.file.modifier.ldap_person.manager.groups, thenif the actor.proces.file.modifier.ldap_person.manager.groups.type log field value is not empty then, actor_process_file_modifier_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.modifier.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.file.modifier.ldap_person.manager.groups, thenif the actor.proces.file.modifier.ldap_person.manager.groups.uid log field value is not empty then, actor_process_file_modifier_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.modifier.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.file.modifier.ldap_person.manager.name log field value is not empty then, actor.process.file.modifier.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.file.modifier.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_type] |
If the actor.process.file.modifier.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_type and actor.process.file.modifier.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.file.modifier.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.file.modifier.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.file.modifier.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.file.modifier.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.file.modifier.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.file.modifier.ldap_person.manager.uid log field value is not empty then, actor.process.file.modifier.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.file.modifier.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_uid_alt] |
If the actor.process.file.modifier.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_uid_alt and actor.process.file.modifier.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.file.modifier.ldap_person.manager.org.name log field value is not empty then, actor.process.file.modifier.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.file.modifier.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.file.modifier.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.file.modifier.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.file.modifier.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_org_ou_uid] |
If the actor.process.file.modifier.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_org_ou_uid and actor.process.file.modifier.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_file_modifier_ldap_person_manager_org_uid] |
If the actor.process.file.modifier.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_manager_org_uid and actor.process.file.modifier.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.file.modifier.ldap_person.location.city log field value is not empty then, actor.process.file.modifier.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.file.modifier.ldap_person.location.continent |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_location_continent] |
If the actor.process.file.modifier.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_location_continent and actor.process.file.modifier.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.file.modifier.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.file.modifier.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.file.modifier.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.file.modifier.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.file.modifier.ldap_person.location.country log field value is not empty then, actor.process.file.modifier.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.file.modifier.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.file.modifier.ldap_person.location.desc log field value is not empty then, actor.process.file.modifier.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.file.modifier.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_location_is_on_premises] |
If the actor.process.file.modifier.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_location_is_on_premises and actor.process.file.modifier.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.location.isp |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_location_isp] |
If the actor.process.file.modifier.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_location_isp and actor.process.file.modifier.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_location_postal_code] |
If the actor.process.file.modifier.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_location_postal_code and actor.process.file.modifier.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.location.provider |
about.user.attribute.labels[actor_process_file_modifier_ldap_person_location_provider] |
If the actor.process.file.modifier.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_ldap_person_location_provider and actor.process.file.modifier.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.file.modifier.ldap_person.location.region log field value is not empty then, actor.process.file.modifier.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.file.modifier.name |
about.user.userid |
If the actor.proces.file.modifier.name log field value is not empty then, actor.process.file.modifier.name log field is mapped to the about.user.userid UDM field. |
actor.process.file.modifier.org.name |
about.user.company_name |
If the actor.proces.file.modifier.org.name log field value is not empty then, actor.process.file.modifier.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.file.modifier.org.ou_name |
about.user.department |
If the actor.proces.file.modifier.org.ou_name log field value is not empty then, actor.process.file.modifier.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.file.modifier.org.ou_uid |
about.user.attribute.labels[actor_process_file_modifier_org_ou_uid] |
If the actor.process.file.modifier.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_org_ou_uid and actor.process.file.modifier.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.org.uid |
about.user.attribute.labels[actor_process_file_modifier_org_uid] |
If the actor.process.file.modifier.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_org_uid and actor.process.file.modifier.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.type |
about.user.attribute.labels[actor_process_file_modifier_type] |
If the actor.process.file.modifier.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_type and actor.process.file.modifier.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.type_id |
about.user.attribute.labels[actor_process_file_modifier_type_id] |
If the actor.process.file.modifier.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_type_id and actor.process.file.modifier.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.modifier.uid |
about.user.product_object_id |
If the actor.process.file.modifier.uid log field value is not empty then, actor.process.file.modifier.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.file.modifier.uid_alt |
about.user.attribute.labels[actor_process_file_modifier_uid_alt] |
If the actor.process.file.modifier.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_modifier_uid_alt and actor.process.file.modifier.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.names log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.owner.account.name |
about.user.attribute.labels[actor_process_file_owner_account_name] |
If the actor.process.file.owner.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_account_name and actor.process.file.owner.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.account.type |
about.user.attribute.labels[actor_process_file_owner_account_type] |
If the actor.process.file.owner.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_account_type and actor.process.file.owner.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.account.type_id |
about.user.attribute.labels[actor_process_file_owner_account_type_id] |
If the actor.process.file.owner.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_account_type_id and actor.process.file.owner.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.account.uid |
about.user.attribute.labels[actor_process_file_owner_account_uid] |
If the actor.process.file.owner.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_account_uid and actor.process.file.owner.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.credential_uid |
about.user.attribute.labels[actor_process_file_owner_credential_uid] |
If the actor.process.file.owner.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_credential_uid and actor.process.file.owner.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.domain |
about.user.attribute.labels[actor_process_file_owner_domain] |
If the actor.process.file.owner.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_domain and actor.process.file.owner.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.email_addr |
about.user.email_addresses |
If the actor.process.file.owner.email_addr log field value is not empty then, actor.process.file.owner.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.file.owner.full_name |
about.user.user_display_name |
If the actor.process.file.owner.full_name log field value is not empty then, actor.process.file.owner.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.file.owner.groups.desc |
about.user.attribute.labels[actor_process_file_owner_groups_%{index}_desc] |
Iterate through log field actor.process.file.owner.groups, thenif the actor.process.file.owner.groups.desc log field value is not empty then, actor_process_file_owner_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.owner.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.groups.domain |
about.user.attribute.labels[actor_process_file_owner_groups_%{index}_domain] |
Iterate through log field actor.process.file.owner.groups, thenif the actor.process.file.owner.groups.domain log field value is not equal to actor_process_file_owner_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.owner.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.file.owner.groups, thenif the actor.proces.file.owner.groups.name log field value is not empty then, actor.process.file.owner.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.file.owner.groups.privileges |
about.user.attribute.labels[actor_process_file_owner_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.file.owner.groups, theniterate through log field actor.process.file.owner.groups.privileges, thenif the actor.proces.file.owner.groups.privileges log field value is not empty then, actor_process_file_owner_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.owner.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.groups.type |
about.user.attribute.labels[actor_process_file_owner_groups_%{index}_type] |
Iterate through log field actor.process.file.owner.groups, thenif the actor.process.file.owner.groups.type log field value is not empty then, actor_process_file_owner_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.owner.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.groups.uid |
about.user.attribute.labels[actor_process_file_owner_groups_%{index}_uid] |
Iterate through log field actor.process.file.owner.groups, thenif the actor.process.file.owner.groups.uid log field value is not empty then, actor_process_file_owner_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.file.owner.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.cost_center |
about.user.attribute.labels[actor_process_file_owner_ldap_person_cost_center] |
If the actor.process.file.owner.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_cost_center and actor.process.file.owner.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.file.owner.ldap_person.created_time log field value is not empty then, actor.process.file.owner.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.file.owner.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_file_owner_ldap_person_deleted_time] |
If the actor.process.file.owner.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_deleted_time and actor.process.file.owner.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.file.owner.ldap_person.email_addrs, thenif the actor.process.file.owner.ldap_person.email_addrs log field value is not empty then, actor.process.file.owner.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.file.owner.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.file.owner.ldap_person.employee_id log field value is not empty then, actor.process.file.owner.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.file.owner.ldap_person.given_name |
about.user.first_name |
If the actor.process.file.owner.ldap_person.given_name log field value is not empty then, actor.process.file.owner.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.file.owner.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.file.owner.ldap_person.hire_time log field value is not empty then, actor.process.file.owner.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.file.owner.ldap_person.job_title |
about.user.title |
If the actor.process.file.owner.ldap_person.job_title log field value is not empty then, actor.process.file.owner.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.file.owner.ldap_person.labels |
about.user.attribute.labels[actor_process_file_owner_ldap_person_label_{index}] |
Iterate through log field actor.process.file.owner.ldap_person.labels, thenif the actor.proces.file.owner.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_labels_{index} and actor.process.file.owner.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.file.owner.ldap_person.last_login_time log field value is not empty then, actor.process.file.owner.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.file.owner.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_file_owner_ldap_person_ldap_cn] |
If the actor.process.file.owner.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_ldap_cn and actor.process.file.owner.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_file_owner_ldap_person_ldap_dn] |
If the actor.process.file.owner.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_ldap_dn and actor.process.file.owner.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.file.owner.ldap_person.leave_time log field value is not empty then, actor.process.file.owner.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.file.owner.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.file.owner.ldap_person.modified_time log field value is not empty then, actor.process.file.owner.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.file.owner.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.file.owner.ldap_person.office_location log field value is not empty then, actor.process.file.owner.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.file.owner.ldap_person.surname |
about.user.last_name |
If the actor.process.file.owner.ldap_person.surname log field value is not empty then, actor.process.file.owner.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.file.owner.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_account_name] |
If the actor.process.file.owner.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_account_name and actor.process.file.owner.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_account_type] |
If the actor.process.file.owner.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_account_type and actor.process.file.owner.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_account_type_id] |
If the actor.process.file.owner.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_account_type_id and actor.process.file.owner.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_account_uid] |
If the actor.process.file.owner.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_account_uid and actor.process.file.owner.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_credential_uid] |
If the actor.process.file.owner.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_credential_uid and actor.process.file.owner.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_domain] |
If the actor.process.file.owner.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_domain and actor.process.file.owner.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.file.owner.ldap_person.manager.email_addr log field value is not empty then, actor.process.file.owner.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.file.owner.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.file.owner.ldap_person.manager.full_name log field value is not empty then, actor.process.file.owner.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.file.owner.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.file.owner.ldap_person.manager.groups, thenif the actor.process.file.owner.ldap_person.manager.groups.desc log field value is not empty then, actor_process_file_owner_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.owner.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.file.owner.ldap_person.manager.groups, thenif the actor.process.file.owner.ldap_person.manager.groups.domain log field value is not empty then, actor_process_file_owner_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.owner.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.file.owner.ldap_person.manager.groups, thenif the actor.process.file.owner.ldap_person.manager.groups.name log field value is not empty then, actor_process_file_owner_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.owner.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.file.owner.ldap_person.manager.groups, theniterate through log field actor.process.file.owner.ldap_person.manager.groups.privileges, thenif the actor.proces.file.owner.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_file_owner_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.owner.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.file.owner.ldap_person.manager.groups, thenif the actor.proces.file.owner.ldap_person.manager.groups.type log field value is not empty then, actor_process_file_owner_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.owner.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.file.owner.ldap_person.manager.groups, thenif the actor.proces.file.owner.ldap_person.manager.groups.uid log field value is not empty then, actor_process_file_owner_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.file.owner.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.file.owner.ldap_person.manager.name log field value is not empty then, actor.process.file.owner.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.file.owner.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_type] |
If the actor.process.file.owner.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_type and actor.process.file.owner.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.file.owner.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.file.owner.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.file.owner.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.file.owner.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.file.owner.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.file.owner.ldap_person.manager.uid log field value is not empty then, actor.process.file.owner.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.file.owner.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_uid_alt] |
If the actor.process.file.owner.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_uid_alt and actor.process.file.owner.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.file.owner.ldap_person.manager.org.name log field value is not empty then, actor.process.file.owner.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.file.owner.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.file.owner.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.file.owner.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.file.owner.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_org_ou_uid] |
If the actor.process.file.owner.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_org_ou_uid and actor.process.file.owner.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_file_owner_ldap_person_manager_org_uid] |
If the actor.process.file.owner.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_manager_org_uid and actor.process.file.owner.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.file.owner.ldap_person.location.city log field value is not empty then, actor.process.file.owner.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.file.owner.ldap_person.location.continent |
about.user.attribute.labels[actor_process_file_owner_ldap_person_location_continent] |
If the actor.process.file.owner.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_location_continent and actor.process.file.owner.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.file.owner.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.file.owner.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.file.owner.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.file.owner.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.file.owner.ldap_person.location.country log field value is not empty then, actor.process.file.owner.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.file.owner.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.file.owner.ldap_person.location.desc log field value is not empty then, actor.process.file.owner.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.file.owner.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_file_owner_ldap_person_location_is_on_premises] |
If the actor.process.file.owner.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_location_is_on_premises and actor.process.file.owner.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.location.isp |
about.user.attribute.labels[actor_process_file_owner_ldap_person_location_isp] |
If the actor.process.file.owner.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_location_isp and actor.process.file.owner.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_file_owner_ldap_person_location_postal_code] |
If the actor.process.file.owner.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_location_postal_code and actor.process.file.owner.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.location.provider |
about.user.attribute.labels[actor_process_file_owner_ldap_person_location_provider] |
If the actor.process.file.owner.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_ldap_person_location_provider and actor.process.file.owner.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.file.owner.ldap_person.location.region log field value is not empty then, actor.process.file.owner.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.file.owner.name |
about.user.userid |
If the actor.proces.file.owner.name log field value is not empty then, actor.process.file.owner.name log field is mapped to the about.user.userid UDM field. |
actor.process.file.owner.org.name |
about.user.company_name |
If the actor.proces.file.owner.org.name log field value is not empty then, actor.process.file.owner.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.file.owner.org.ou_name |
about.user.department |
If the actor.proces.file.owner.org.ou_name log field value is not empty then, actor.process.file.owner.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.file.owner.org.ou_uid |
about.user.attribute.labels[actor_process_file_owner_org_ou_uid] |
If the actor.process.file.owner.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_org_ou_uid and actor.process.file.owner.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.org.uid |
about.user.attribute.labels[actor_process_file_owner_org_uid] |
If the actor.process.file.owner.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_org_uid and actor.process.file.owner.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.type |
about.user.attribute.labels[actor_process_file_owner_type] |
If the actor.process.file.owner.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_type and actor.process.file.owner.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.type_id |
about.user.attribute.labels[actor_process_file_owner_type_id] |
If the actor.process.file.owner.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_type_id and actor.process.file.owner.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.owner.uid |
about.user.product_object_id |
If the actor.process.file.owner.uid log field value is not empty then, actor.process.file.owner.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.file.owner.uid_alt |
about.user.attribute.labels[actor_process_file_owner_uid_alt] |
If the actor.process.file.owner.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_file_owner_uid_alt and actor.process.file.owner.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.file.parent_folder |
additional.fields[actor_process_file_parent_folder] |
If the actor.process.file.parent_folder log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_parent_folder and actor.process.file.parent_folder log field is mapped to the additional.fields UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.product.cpe_name |
additional.fields[actor_process_file_product_cpe_name] |
If the actor.process.file.product.cpe_name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_cpe_name and actor.process.file.product.cpe_name log field is mapped to the additional.fields UDM field. |
actor.process.file.product.feature.name |
additional.fields[actor_process_file_product_feature_name] |
If the actor.process.file.product.feature.name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_feature_name and actor.process.file.product.feature.name log field is mapped to the additional.fields UDM field. |
actor.process.file.product.feature.uid |
additional.fields[actor_process_file_product_feature_uid] |
If the actor.process.file.product.feature.uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_feature_uid and actor.process.file.product.feature.uid log field is mapped to the additional.fields UDM field. |
actor.process.file.product.feature.version |
additional.fields[actor_process_file_product_feature_version] |
If the actor.process.file.product.feature.version log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_feature_version and actor.process.file.product.feature.version log field is mapped to the additional.fields UDM field. |
actor.process.file.product.lang |
additional.fields[actor_process_file_product_lang] |
If the actor.process.file.product.lang log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_lang and actor.process.file.product.lang log field is mapped to the additional.fields UDM field. |
actor.process.file.product.name |
additional.fields[actor_process_file_product_name] |
If the actor.process.file.product.name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_name and actor.process.file.product.name log field is mapped to the additional.fields UDM field. |
actor.process.file.product.path |
additional.fields[actor_process_file_product_path] |
If the actor.process.file.product.path log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_path and actor.process.file.product.path log field is mapped to the additional.fields UDM field. |
actor.process.file.product.uid |
additional.fields[actor_process_file_product_uid] |
If the actor.process.file.product.uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_uid and actor.process.file.product.uid log field is mapped to the additional.fields UDM field. |
actor.process.file.product.uid_string |
additional.fields[actor_process_file_product_uid_string] |
If the actor.process.file.product.uid_string log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_uid_string and actor.process.file.product.uid_string log field is mapped to the additional.fields UDM field. |
actor.process.file.product.vendor_name |
additional.fields[actor_process_file_product_vendor_name] |
If the actor.process.file.product.vendor_name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_vendor_name and actor.process.file.product.vendor_name log field is mapped to the additional.fields UDM field. |
actor.process.file.product.version |
additional.fields[actor_process_file_product_version] |
If the actor.process.file.product.version log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_product_version and actor.process.file.product.version log field is mapped to the additional.fields UDM field. |
actor.process.file.security_descriptor |
additional.fields[actor_process_file_security_descriptor] |
If the actor.process.file.security_descriptor log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_security_descriptor and actor.process.file.security_descriptor log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.algorithm |
additional.fields[actor_process_file_signature_algorithm] |
If the actor.process.file.signature.algorithm log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_algorithm and actor.process.file.signature.algorithm log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.algorithm_id |
additional.fields[actor_process_file_signature_algorithm_id] |
If the actor.process.file.signature.algorithm_id log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_algorithm_id and actor.process.file.signature.algorithm_id log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.certificate.created_time |
additional.fields[actor_process_file_signature_certificate_created_time] |
If the actor.process.file.signature.certificate.created_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_certificate_created_time and actor.process.file.signature.certificate.created_time log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.certificate.expiration_time |
additional.fields[actor_process_file_signature_certificate_expiration_time] |
If the actor.process.file.signature.certificate.expiration_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_certificate_expiration_time and actor.process.file.signature.certificate.expiration_time log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.certificate.fingerprints.algortihm |
principal.process.file.signature_info.sigcheck.x509.algorithm |
Iterate through log field actor.process.file.signature.certificate.fingerprints, thenif the actor.process.file.signature.certificate.fingerprints.algorithm log field value is not empty then, actor.process.file.signature.certificate.fingerprints.algortihm log field is mapped to the principal.process.file.signature_info.sigcheck.x509.algorithm UDM field. |
actor.process.file.signature.certificate.fingerprints.value |
additional.fields[actor_process_file_signature_certificate_fingerprints_%{index}_value] |
Iterate through log field actor.process.file.signature.certificate.fingerprints, thenif the actor.process.file.signature.certificate.fingerprints.value log field value is not empty then, actor_process_file_signature_certificate_fingerprints_%{index}_value log field is mapped to the additional.fields.key UDM field and actor.process.file.signature.certificate.fingerprints.value log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.certificate.issuer |
principal.process.file.signature_info.sigcheck.x509.cert_issuer |
If the actor.process.file.signature.certificate.issuer log field value is not empty then, actor.process.file.signature.certificate.issuer log field is mapped to the principal.process.file.signature_info.sigcheck.x509.cert_issuer UDM field. |
actor.process.file.signature.certificate.serial_number |
principal.process.file.signature_info.sigcheck.x509.serial_number |
If the actor.process.file.signature.certificate.serial_number log field value is not empty then, actor.process.file.signature.certificate.serial_number log field is mapped to the principal.process.file.signature_info.sigcheck.x509.serial_number UDM field. |
actor.process.file.signature.certificate.subject |
principal.process.file.signature_info.sigcheck.x509.name |
If the actor.process.file.signature.certificate.subject log field value is not empty then, actor.process.file.signature.certificate.name log field is mapped to the principal.process.file.signature_info.sigcheck.x509.name UDM field. |
actor.process.file.signature.certificate.uid |
additional.fields[actor_process_file_signature_certificate_uid] |
If the actor.process.file.signature.certificate.uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_certificate_uid and actor.process.file.signature.certificate.uid log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.certificate.version |
additional.fields[actor_process_file_signature_certificate_version] |
If the actor.process.file.signature.certificate.version log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_certificate_version and actor.process.file.signature.certificate.version log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.created_time |
additional.fields[actor_process_file_signature_created_time] |
If the actor.process.file.signature.created_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_created_time and actor.process.file.signature.created_time log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.developer_uid |
principal.process.file.signature_info.sigcheck.signers.name |
If the actor.process.file.signature.developer_uid log field value is not empty then, actor.process.file.signature.developer_uid log field is mapped to the principal.process.file.signature_info.sigcheck.signers.name UDM field. |
actor.process.file.signature.digest.algortihm |
additional.fields[actor_process_file_signature_digest_algorithm] |
If the actor.process.file.signature.digest.algorithm log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_digest_algorithm and actor.process.file.signature.digest.algorithm log field is mapped to the additional.fields UDM field. |
actor.process.file.signature.digest.value |
additional.fields[actor_process_file_signature_digest_value] |
If the actor.process.file.signature.digest.value log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_signature_digest_value and actor.process.file.signature.digest.value log field is mapped to the additional.fields UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.file.type |
additional.fields[actor_process_file_type] |
If the actor.process.file.type log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_type and actor.process.file.type log field is mapped to the additional.fields UDM field. |
actor.process.file.type_id |
additional.fields[actor_process_file_type_id] |
If the actor.process.file.type_id log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_type_id and actor.process.file.type_id log field is mapped to the additional.fields UDM field. |
actor.process.file.uid |
principal.process.file.stat_inode |
If the actor.process.file.uid log field value is not empty then, actor.process.file.uid log field is mapped to the principal.process.file.stat_inode UDM field. |
actor.process.file.version |
additional.fields[actor_process_file_version] |
If the actor.process.file.version log field value is not empty then, the additional.fields.key UDM field is set to actor_process_file_version and actor.process.file.version log field is mapped to the additional.fields UDM field. |
actor.process.file.xattributes |
additional.fields[actor_process_file_xattributes] |
Iterate for each key, value pair of log field actor.process.file.xattributes, thenif the actor.process.file.xattributes log field value is not empty then, key log field is mapped to the additional.fields.key UDM field and value log field is mapped to the additional.fields UDM field. |
actor.process.integrity |
additional.fields[actor_process_integrity] |
If the actor.process.integrity log field value is not empty then, the additional.fields.key UDM field is set to actor_process_integrity and actor.process.integrity log field is mapped to the additional.fields UDM field. |
actor.process.integrity_id |
principal.process.integrity_level_rid |
If the actor.process.integrity_id log field value is not empty then, actor.process.integrity_id log field is mapped to the principal.process.integrity_level_rid UDM field. |
actor.process.lineage |
principal.process.command_line_history |
Iterate through log field actor.process.lineage, thenif the actor.process.lineage log field value is not empty then, actor.process.lineage log field is mapped to the principal.process.command_line_history UDM field. |
actor.process.integrity.loaded_modules |
additional.fields[actor_process_loaded_modules_%{index}] |
Iterate through log field actor.process.loaded_modules, thenif the actor.process.loaded_modules log field value is not empty then, actor_process_loaded_modules_%{index} log field is mapped to the additional.fields.key UDM field and actor.process.loaded_modules log field is mapped to the additional.fields UDM field. |
actor.process.name |
additional.fields[actor_process_name] |
If the actor.process.name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_name and actor.process.name log field is mapped to the additional.fields UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.sandbox |
additional.fields[actor_process_sandbox] |
If the actor.process.sandbox log field value is not empty then, the additional.fields.key UDM field is set to actor_process_sandbox and actor.process.sandbox log field is mapped to the additional.fields UDM field. |
actor.process.session.created_time |
additional.fields[actor_process_session_created_time] |
If the actor.process.session.created_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_session_created_time and actor.process.session.created_time log field is mapped to the additional.fields UDM field. |
actor.process.session.credential_uid |
additional.fields[actor_process_session_credential_uid] |
If the actor.process.session.credential_uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_session_credential_uid and actor.process.session.credential_uid log field is mapped to the additional.fields UDM field. |
actor.process.session.expiration_time |
additional.fields[actor_process_session_expiration_time] |
If the actor.process.session.expiration_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_session_expiration_time and actor.process.session.expiration_time log field is mapped to the additional.fields UDM field. |
actor.process.session.is_remote |
additional.fields[actor_process_session_is_remote] |
If the actor.process.session.is_remote log field value is not empty then, the additional.fields.key UDM field is set to actor_process_session_is_remote and actor.process.session.is_remote log field is mapped to the additional.fields UDM field. |
actor.process.session.issuer |
additional.fields[actor_process_session_issuer] |
If the actor.process.session.issuer log field value is not empty then, the additional.fields.key UDM field is set to actor_process_session_issuer and actor.process.session.issuer log field is mapped to the additional.fields UDM field. |
actor.process.session.uid |
additional.fields[actor_process_session_uid] |
If the actor.process.session.uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_session_uid and actor.process.session.uid log field is mapped to the additional.fields UDM field. |
actor.process.session.uuid |
additional.fields[actor_process_session_uuid] |
If the actor.process.session.uuid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_session_uuid and actor.process.session.uuid log field is mapped to the additional.fields UDM field. |
actor.process.terminated_time |
additional.fields[actor_process_terminated_time] |
If the actor.process.terminated_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_terminated_time and actor.process.terminated_time log field is mapped to the additional.fields UDM field. |
actor.process.tid |
additional.fields[actor_process_tid] |
If the actor.process.tid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_tid and actor.process.tid log field is mapped to the additional.fields UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.xattributes |
additional.fields[actor_process_xattributes] |
Iterate for each key, value pair of log field actor.process.xattributes, thenif the actor.process.xattributes log field value is not empty then, key log field is mapped to the additional.fields.key UDM field and value log field is mapped to the additional.fields UDM field. |
actor.session.created_time |
principal.user.attribute.labels[actor_session_created_time] |
If the actor.session.created_time log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_session_created_time and actor.session.created_time log field is mapped to the principal.user.attribute.labels UDM field. |
actor.session.credential_uid |
principal.user.attribute.labels[actor_session_credential_uid] |
If the actor.session.credential_uid log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_session_credential_uid and actor.session.credential_uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.session.expiration_time |
principal.user.attribute.labels[actor_session_expiration_time] |
If the actor.session.expiration_time log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_session_expiration_time and actor.session.expiration_time log field is mapped to the principal.user.attribute.labels UDM field. |
actor.session.is_remote |
principal.user.attribute.labels[actor_session_is_remote] |
If the actor.session.is_remote log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_session_is_remote and actor.session.is_remote log field is mapped to the principal.user.attribute.labels UDM field. |
actor.session.issuer |
principal.user.attribute.labels[actor_session_issuer] |
If the actor.session.issuer log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_session_issuer and actor.session.issuer log field is mapped to the principal.user.attribute.labels UDM field. |
actor.session.uid |
principal.network.session_id |
If the actor.session.uid log field value is not empty then, actor.session.uid log field is mapped to the principal.network.session_id UDM field. |
actor.session.uuid |
principal.user.attribute.labels[actor_session_uuid] |
If the actor.session.uuid log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_session_uuid and actor.session.uuid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account.name |
principal.user.attribute.labels[actor_user_account_name] |
If the actor.user.account.name log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_account_name and actor.user.account.name log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account.type |
principal.user.attribute.labels[actor_user_account_type] |
If the actor.user.account.type log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_account_type and actor.user.account.type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account.type_id |
principal.user.attribute.labels[actor_user_account_type_id] |
If the actor.user.account.type_id log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_account_type_id and actor.user.account.type_id log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.account.uid |
principal.user.attribute.labels[actor_user_account_uid] |
If the actor.user.account.uid log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_account_uid and actor.user.account.uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.credential_uid |
principal.user.attribute.labels[actor_user_credential_uid] |
If the actor.user.credential_uid log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_credential_uid and actor.user.credential_uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.desc |
principal.user.attributes.labels[actor_user_groups_%{index}_desc] |
Iterate through log field actor.user.groups, thenif the actor.user.groups.desc log field value is not empty then, actor_user_groups_%{index}_desc log field is mapped to the principal.user.attribute.labels.key UDM field and actor.user.groups.desc log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.groups.domain |
principal.user.attributes.labels[actor_user_groups_%{index}_domain] |
Iterate through log field actor.user.groups, thenif the actor.user.groups.domain log field value is not empty then, actor_user_groups_%{index}_domain log field is mapped to the principal.user.attribute.labels.key UDM field and actor.user.groups.domain log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.groups.name |
principal.user.group_identifiers |
Iterate through log field actor.user.groups, thenif the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.groups.privileges |
principal.user.attributes.labels[actor_user_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.user.groups, theniterate through log field actor.user.groups.privileges, thenif the actor.user.groups.privileges log field value is not empty then, actor_user_groups_%{index}_privileges_%{index1} log field is mapped to the principal.user.attribute.labels.key UDM field and actor.user.groups.privileges log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.groups.type |
principal.user.attributes.labels[actor_user_groups_%{index}_type] |
Iterate through log field actor.user.groups, thenif the actor.user.groups.type log field value is not empty then, actor_user_groups_%{index}_type log field is mapped to the principal.user.attribute.labels.key UDM field and actor.user.groups.type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.groups.uid |
principal.user.attributes.labels[actor_user_groups_%{index}_uid] |
Iterate through log field actor.user.groups, thenif the actor.user.groups.uid log field value is not empty then, actor_user_groups_%{index}_uid log field is mapped to the principal.user.attribute.labels.key UDM field and actor.user.groups.uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[actor_user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_cost_center and actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.creation_time |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.creation_time UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[actor_user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_deleted_time and actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
Iterate through log field actor.user.ldap_person.email_addrs, thenif the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.employee_uid |
principal.user.employee_id |
If the actor.user.ldap_person.employee_id log field value is not empty then, actor.user.ldap_person.employee_id log field is mapped to the principal.user.employee_id UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[actor_user_ldap_person_labels_%{index}] |
Iterate through log field actor.user.ldap_person.labels, thenif the actor.user.ldap_person.labels log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_labels_{index} and actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[actor_user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_ldap_cn and actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[actor_user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not equal to principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_ldap_dn and actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.leave_time |
principal.user.termination_date |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.termination_date UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.last_update_time |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.last_update_time UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.manager.account.name |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_account_name] |
If the actor.user.ldap_person.manager.account.name log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_account_name and actor.user.ldap_person.manager.account.name log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.account.type |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_account_type] |
If the actor.user.ldap_person.manager.account.type log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_account_type and actor.user.ldap_person.manager.account.type log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.account.type_id |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_account_type_id] |
If the actor.user.ldap_person.manager.account.type_id log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_account_type_id and actor.user.ldap_person.manager.account.type_id log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.account.uid |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_account_uid] |
If the actor.user.ldap_person.manager.account.uid log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_account_uid and actor.user.ldap_person.manager.account.uid log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.credential_uid |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_credential_uid] |
If the actor.user.ldap_person.manager.credential_uid log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_credential_uid and actor.user.ldap_person.manager.credential_uid log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.domain |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_domain] |
If the actor.user.ldap_person.manager.domain log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_domain and actor.user.ldap_person.manager.domain log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.email_addr |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addr log field value is not empty then, actor.user.ldap_person.manager.email_addr log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.full_name |
principal.user.managers.user_display_name |
If the actor.user.ldap_person.manager.full_name log field value is not empty then, actor.user.ldap_person.manager.full_name log field is mapped to the principal.user.managers.user_display_name UDM field. |
actor.user.ldap_person.manger.groups.desc |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.user.ldap_person.manager.groups, thenif the actor.user.ldap_person.manager.groups.desc log field value is not empty then, actor_user_ldap_person_manager_group_%{index}_desc log field is mapped to the principal.user.managers.attribute.labels.key UDM field and actor.user.ldap_person.manager.groups.desc log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manger.groups.domain |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.user.ldap_person.manager.groups, thenif the actor.user.ldap_person.manager.groups.domain log field value is not empty then, actor_user_ldap_person_manager_group_%{index}_domain log field is mapped to the principal.user.managers.attribute.labels.key UDM field and actor.user.ldap_person.manager.groups.domain log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manger.groups.name |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.user.ldap_person.manager.groups, thenif the actor.user.ldap_person.manager.groups.name log field value is not empty then, actor_user_ldap_person_manager_group_%{index}_name log field is mapped to the principal.user.managers.attribute.labels.key UDM field and actor.user.ldap_person.manager.groups.name log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manger.groups.privileges |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.user.ldap_person.manager.groups, theniterate through log field actor.user.ldap_person.manager.groups.privileges, thenif the actor.user.ldap_person.manager.groups.privileges log field value is not empty then, actor_user_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the principal.user.managers.attribute.labels.key UDM field and actor.user.ldap_person.manager.groups.privileges log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manger.groups.type |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.user.ldap_person.manager.groups, thenif the actor.user.ldap_person.manager.groups.type log field value is not empty then, actor_user_ldap_person_manager_group_%{index}_type log field is mapped to the principal.user.managers.attribute.labels.key UDM field and actor.user.ldap_person.manager.groups.type log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manger.groups.uid |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.user.ldap_person.manager.groups, thenif the actor.user.ldap_person.manager.groups.uid log field value is not empty then, actor_user_ldap_person_manager_group_%{index}_uid log field is mapped to the principal.user.managers.attribute.labels.key UDM field and actor.user.ldap_person.manager.groups.uid log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.name |
principal.user.managers.userid |
If the actor.user.ldap_person.manager.name log field value is not empty then, actor.user.ldap_person.manager.name log field is mapped to the principal.user.managers.userid UDM field. |
actor.user.ldap_person.manager.type |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_type] |
If the actor.user.ldap_person.manager.type log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_type and actor.user.ldap_person.manager.type log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.type_id |
principal.user.managers.attribute.roles |
If the actor.user.ldap_person.manager.type_id log field value is equal to 1 then, the principal.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.user.ldap_person.manager.type_id log field value is equal to 2 then, the principal.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.user.ldap_person.manager.type_id log field value is equal to 3 then, the principal.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.user.ldap_person.manager.type_id log field value is equal to 0 then, the principal.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the principal.user.managers.attribute.roles.name UDM field is set to Other. |
actor.user.ldap_person.manager.uid |
principal.user.managers.product_object_id |
If the actor.user.ldap_person.manager.uid log field value is not empty then, actor.user.ldap_person.manager.uid log field is mapped to the principal.user.managers.product_object_id UDM field. |
actor.user.ldap_person.manager.uid_alt |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_uid_alt] |
If the actor.user.ldap_person.manager.uid_alt log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_uid_alt and actor.user.ldap_person.manager.uid_alt log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.org.name |
principal.user.managers.company_name |
If the actor.user.ldap_person.manager.org.name log field value is not empty then, actor.user.ldap_person.manager.org.name log field is mapped to the principal.user.managers.company_name UDM field. |
actor.user.ldap_person.manager.org.ou_name |
principal.user.managers.department |
If the actor.user.ldap_person.manager.org.ou_name log field value is not empty then, actor.user.ldap_person.manager.org.ou_name log field is mapped to the principal.user.managers.department UDM field. |
actor.user.ldap_person.manager.org.ou_uid |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_org_ou_uid] |
If the actor.user.ldap_person.manager.org.ou_uid log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_org_ou_uid and actor.user.ldap_person.manager.org.ou_uid log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.manager.org.uid |
principal.user.managers.attribute.labels[actor_user_ldap_person_manager_org_uid] |
If the actor.user.ldap_person.manager.org.uid log field value is not empty then, the principal.user.managers.attribute.labels.key UDM field is set to actor_user_ldap_person_manager_org_uid and actor.user.ldap_person.manager.org.uid log field is mapped to the principal.user.managers.attribute.labels UDM field. |
actor.user.ldap_person.location.city |
principal.user.personal_address.city |
If the actor.user.ldap_person.location.city log field value is not empty then, actor.user.ldap_person.location.city log field is mapped to the principal.user.personal_address.city UDM field. |
actor.user.ldap_person.location.continent |
principal.user.attribute.labels[actor_user_ldap_person_location_continent] |
If the actor.user.ldap_person.location.continent log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_location_continent and actor.user.ldap_person.location.continent log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.location.coordinates |
principal.user.office_address.region_coordinates |
Iterate through log field actor.user.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.user.ldap_person.location.coordinates log field is mapped to the principal.user.office_address.region_coordinates.longitude UDM field. Else, actor.user.ldap_person.location.coordinates log field is mapped to the principal.user.office_address.region_coordinates.latitude UDM field. |
actor.user.ldap_person.location.country |
principal.user.office_address.country_or_region |
If the actor.user.ldap_person.location.country log field value is not empty then, actor.user.ldap_person.location.country log field is mapped to the principal.user.personal_address.country_or_region UDM field. |
actor.user.ldap_person.location.desc |
principal.user.office_address.name |
If the actor.user.ldap_person.location.desc log field value is not empty then, actor.user.ldap_person.location.desc log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.location.is_on_premises |
principal.user.attribute.labels[actor_user_ldap_person_location_is_on_premises] |
If the actor.user.ldap_person.location.is_on_premises log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_location_is_on_premises and actor.user.ldap_person.location.is_on_premises log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.location.isp |
principal.user.attribute.labels[actor_user_ldap_person_location_isp] |
If the actor.user.ldap_person.location.isp log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_location_isp and actor.user.ldap_person.location.isp log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.location.postal_code |
principal.user.attribute.labels[actor_user_ldap_person_location_postal_code] |
If the actor.user.ldap_person.location.postal_code log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_location_postal_code and actor.user.ldap_person.location.postal_code log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.location.provider |
principal.user.attribute.labels[actor_user_ldap_person_location_provider] |
If the actor.user.ldap_person.location.provider log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_ldap_person_location_provider and actor.user.ldap_person.location.provider log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.ldap_person.location.region |
principal.user.office_address.state |
If the actor.user.ldap_person.location.region log field value is not empty then, actor.user.ldap_person.location.region log field is mapped to the principal.user.office_address.state UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.org.ou_uid |
principal.user.attribute.labels[actor_user_org_ou_uid] |
If the actor.user.org.ou_uid log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_org_ou_uid and actor.user.org.ou_uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.org.uid |
principal.user.attribute.labels[actor_user_org_uid] |
If the actor.user.org.uid log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_org_uid and actor.user.org.uid log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.type |
principal.user.attribute.labels[actor_user_type] |
If the actor.user.type log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_type and actor.user.type log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.type_id |
principal.user.attribute.labels[actor_user_type_id] |
If the actor.user.type_id log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_type_id and actor.user.type_id log field is mapped to the principal.user.attribute.labels UDM field. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.uid_alt |
principal.user.attribute.labels[actor_user_uid_alt] |
If the actor.user.uid_alt log field value is not empty then, the principal.user.attribute.labels.key UDM field is set to actor_user_uid_alt and actor.user.uid_alt log field is mapped to the principal.user.attribute.labels UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.created_time |
additional.fields[actor_process_parent_process_created_time] |
If the actor.process.parent_process.created_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_created_time and actor.process.parent_process.created_time log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.accessed_time |
additional.fields[actor_process_parent_process_file_accessed_time] |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_accessed_time and actor.process.parent_process.file.accessed_time log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.accessor.account.name |
about.user.attribute.labels[actor_process_parent_process_file_accessor_account_name] |
If the actor.process.parent_process.file.accessor.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_account_name and actor.process.parent_process.file.accessor.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.account.type |
about.user.attribute.labels[actor_process_parent_process_file_accessor_account_type] |
If the actor.process.parent_process.file.accessor.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_account_type and actor.process.parent_process.file.accessor.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.account.type_id |
about.user.attribute.labels[actor_process_parent_process_file_accessor_account_type_id] |
If the actor.process.parent_process.file.accessor.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_account_type_id and actor.process.parent_process.file.accessor.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.account.uid |
about.user.attribute.labels[actor_process_parent_process_file_accessor_account_uid] |
If the actor.process.parent_process.file.accessor.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_account_uid and actor.process.parent_process.file.accessor.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.credential_uid |
about.user.attribute.labels[actor_process_parent_process_file_accessor_credential_uid] |
If the actor.process.parent_process.file.accessor.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_credential_uid and actor.process.parent_process.file.accessor.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.domain |
about.user.attribute.labels[actor_process_parent_process_file_accessor_domain] |
If the actor.process.parent_process.file.accessor.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_domain and actor.process.parent_process.file.accessor.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.email_addr |
about.user.email_addresses |
If the actor.process.parent_process.file.accessor.email_addr log field value is not empty then, actor.process.parent_process.file.accessor.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.file.accessor.full_name |
about.user.user_display_name |
If the actor.process.parent_process.file.accessor.full_name log field value is not empty then, actor.process.parent_process.file.accessor.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.parent_process.file.accessor.groups.desc |
about.user.attribute.labels[actor_process_parent_process_file_accessor_groups_%{index}_desc] |
Iterate through log field actor.process.parent_process.file.accessor.groups, thenif the actor.process.parent_process.file.accessor.groups.desc log field value is not empty then, actor_process_parent_process_file_accessor_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.groups.domain |
about.user.attribute.labels[actor_process_parent_process_file_accessor_groups_%{index}_domain] |
Iterate through log field actor.process.parent_process.file.accessor.groups, thenif the actor.process.parent_process.file.accessor.groups.domain log field value is not equal to actor_process_parent_process_file_accessor_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.parent_process.file.accessor.groups, thenif the actor.proces.file.accessor.groups.name log field value is not empty then, actor.process.parent_process.file.accessor.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.parent_process.file.accessor.groups.privileges |
about.user.attribute.labels[actor_process_parent_process_file_accessor_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.file.accessor.groups, theniterate through log field actor.process.parent_process.file.accessor.groups.privileges, thenif the actor.proces.file.accessor.groups.privileges log field value is not empty then, actor_process_parent_process_file_accessor_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.groups.type |
about.user.attribute.labels[actor_process_parent_process_file_accessor_groups_%{index}_type] |
Iterate through log field actor.process.parent_process.file.accessor.groups, thenif the actor.process.parent_process.file.accessor.groups.type log field value is not empty then, actor_process_parent_process_file_accessor_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.groups.uid |
about.user.attribute.labels[actor_process_parent_process_file_accessor_groups_%{index}_uid] |
Iterate through log field actor.process.parent_process.file.accessor.groups, thenif the actor.process.parent_process.file.accessor.groups.uid log field value is not empty then, actor_process_parent_process_file_accessor_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.cost_center |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_cost_center] |
If the actor.process.parent_process.file.accessor.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_cost_center and actor.process.parent_process.file.accessor.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.parent_process.file.accessor.ldap_person.created_time log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.parent_process.file.accessor.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_deleted_time] |
If the actor.process.parent_process.file.accessor.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_deleted_time and actor.process.parent_process.file.accessor.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.email_addrs, thenif the actor.process.parent_process.file.accessor.ldap_person.email_addrs log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.file.accessor.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.parent_process.file.accessor.ldap_person.employee_id log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.parent_process.file.accessor.ldap_person.given_name |
about.user.first_name |
If the actor.process.parent_process.file.accessor.ldap_person.given_name log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.parent_process.file.accessor.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.parent_process.file.accessor.ldap_person.hire_time log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.parent_process.file.accessor.ldap_person.job_title |
about.user.title |
If the actor.process.parent_process.file.accessor.ldap_person.job_title log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.parent_process.file.accessor.ldap_person.labels |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_label_{index}] |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.labels, thenif the actor.proces.file.accessor.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_labels_{index} and actor.process.parent_process.file.accessor.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.parent_process.file.accessor.ldap_person.last_login_time log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.parent_process.file.accessor.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_ldap_cn] |
If the actor.process.parent_process.file.accessor.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_ldap_cn and actor.process.parent_process.file.accessor.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_ldap_dn] |
If the actor.process.parent_process.file.accessor.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_ldap_dn and actor.process.parent_process.file.accessor.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.parent_process.file.accessor.ldap_person.leave_time log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.parent_process.file.accessor.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.parent_process.file.accessor.ldap_person.modified_time log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.parent_process.file.accessor.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.parent_process.file.accessor.ldap_person.office_location log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.file.accessor.ldap_person.surname |
about.user.last_name |
If the actor.process.parent_process.file.accessor.ldap_person.surname log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_account_name] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_account_name and actor.process.parent_process.file.accessor.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_account_type] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_account_type and actor.process.parent_process.file.accessor.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_account_type_id] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_account_type_id and actor.process.parent_process.file.accessor.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_account_uid] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_account_uid and actor.process.parent_process.file.accessor.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_credential_uid] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_credential_uid and actor.process.parent_process.file.accessor.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_domain] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_domain and actor.process.parent_process.file.accessor.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.parent_process.file.accessor.ldap_person.manager.email_addr log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.parent_process.file.accessor.ldap_person.manager.full_name log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.manager.groups, thenif the actor.process.parent_process.file.accessor.ldap_person.manager.groups.desc log field value is not empty then, actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.manager.groups, thenif the actor.process.parent_process.file.accessor.ldap_person.manager.groups.domain log field value is not empty then, actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.manager.groups, thenif the actor.process.parent_process.file.accessor.ldap_person.manager.groups.name log field value is not empty then, actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.manager.groups, theniterate through log field actor.process.parent_process.file.accessor.ldap_person.manager.groups.privileges, thenif the actor.proces.file.accessor.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.manager.groups, thenif the actor.proces.file.accessor.ldap_person.manager.groups.type log field value is not empty then, actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.manager.groups, thenif the actor.proces.file.accessor.ldap_person.manager.groups.uid log field value is not empty then, actor_process_parent_process_file_accessor_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.accessor.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.parent_process.file.accessor.ldap_person.manager.name log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_type] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_type and actor.process.parent_process.file.accessor.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.parent_process.file.accessor.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.parent_process.file.accessor.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.parent_process.file.accessor.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.parent_process.file.accessor.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.parent_process.file.accessor.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.parent_process.file.accessor.ldap_person.manager.uid log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_uid_alt] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_uid_alt and actor.process.parent_process.file.accessor.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.parent_process.file.accessor.ldap_person.manager.org.name log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.parent_process.file.accessor.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_org_ou_uid] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_org_ou_uid and actor.process.parent_process.file.accessor.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_manager_org_uid] |
If the actor.process.parent_process.file.accessor.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_manager_org_uid and actor.process.parent_process.file.accessor.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.parent_process.file.accessor.ldap_person.location.city log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.continent |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_location_continent] |
If the actor.process.parent_process.file.accessor.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_location_continent and actor.process.parent_process.file.accessor.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.parent_process.file.accessor.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.parent_process.file.accessor.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.parent_process.file.accessor.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.parent_process.file.accessor.ldap_person.location.country log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.parent_process.file.accessor.ldap_person.location.desc log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_location_is_on_premises] |
If the actor.process.parent_process.file.accessor.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_location_is_on_premises and actor.process.parent_process.file.accessor.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.isp |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_location_isp] |
If the actor.process.parent_process.file.accessor.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_location_isp and actor.process.parent_process.file.accessor.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_location_postal_code] |
If the actor.process.parent_process.file.accessor.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_location_postal_code and actor.process.parent_process.file.accessor.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.provider |
about.user.attribute.labels[actor_process_parent_process_file_accessor_ldap_person_location_provider] |
If the actor.process.parent_process.file.accessor.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_ldap_person_location_provider and actor.process.parent_process.file.accessor.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.parent_process.file.accessor.ldap_person.location.region log field value is not empty then, actor.process.parent_process.file.accessor.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.parent_process.file.accessor.name |
about.user.userid |
If the actor.proces.file.accessor.name log field value is not empty then, actor.process.parent_process.file.accessor.name log field is mapped to the about.user.userid UDM field. |
actor.process.parent_process.file.accessor.org.name |
about.user.company_name |
If the actor.proces.file.accessor.org.name log field value is not empty then, actor.process.parent_process.file.accessor.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.parent_process.file.accessor.org.ou_name |
about.user.department |
If the actor.proces.file.accessor.org.ou_name log field value is not empty then, actor.process.parent_process.file.accessor.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.parent_process.file.accessor.org.ou_uid |
about.user.attribute.labels[actor_process_parent_process_file_accessor_org_ou_uid] |
If the actor.process.parent_process.file.accessor.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_org_ou_uid and actor.process.parent_process.file.accessor.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.org.uid |
about.user.attribute.labels[actor_process_parent_process_file_accessor_org_uid] |
If the actor.process.parent_process.file.accessor.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_org_uid and actor.process.parent_process.file.accessor.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.type |
about.user.attribute.labels[actor_process_parent_process_file_accessor_type] |
If the actor.process.parent_process.file.accessor.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_type and actor.process.parent_process.file.accessor.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.type_id |
about.user.attribute.labels[actor_process_parent_process_file_accessor_type_id] |
If the actor.process.parent_process.file.accessor.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_type_id and actor.process.parent_process.file.accessor.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.accessor.uid |
about.user.product_object_id |
If the actor.process.parent_process.file.accessor.uid log field value is not empty then, actor.process.parent_process.file.accessor.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.parent_process.file.accessor.uid_alt |
about.user.attribute.labels[actor_process_parent_process_file_accessor_uid_alt] |
If the actor.process.parent_process.file.accessor.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_accessor_uid_alt and actor.process.parent_process.file.accessor.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.attributes |
additional.fields[actor_process_parent_process_file_attributes] |
If the actor.process.parent_process.file.attributes log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_attributes and actor.process.parent_process.file.attributes log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.company_name |
additional.fields[actor_process_parent_process_file_company_name] |
If the actor.process.parent_process.file.company_name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_company_name and actor.process.parent_process.file.company_name log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.confidentiality |
additional.fields[actor_process_parent_process_file_confidentiality] |
If the actor.process.parent_process.file.confidentiality log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_confidentiality and actor.process.parent_process.file.confidentiality log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.confidentiality_id |
additional.fields[actor_process_parent_process_file_confidentiality_id] |
If the actor.process.parent_process.file.confidentiality_id log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_confidentiality_id and actor.process.parent_process.file.confidentiality_id log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.creator.account.name |
about.user.attribute.labels[actor_process_parent_process_file_modifier_account_name] |
If the actor.process.parent_process.file.creator.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_account_name and actor.process.parent_process.file.creator.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.account.type |
about.user.attribute.labels[actor_process_parent_process_file_modifier_account_type] |
If the actor.process.parent_process.file.creator.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_account_type and actor.process.parent_process.file.creator.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.account.type_id |
about.user.attribute.labels[actor_process_parent_process_file_modifier_account_type_id] |
If the actor.process.parent_process.file.creator.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_account_type_id and actor.process.parent_process.file.creator.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.account.uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_account_uid] |
If the actor.process.parent_process.file.creator.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_account_uid and actor.process.parent_process.file.creator.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.credential_uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_credential_uid] |
If the actor.process.parent_process.file.creator.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_credential_uid and actor.process.parent_process.file.creator.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.domain |
about.user.attribute.labels[actor_process_parent_process_file_modifier_domain] |
If the actor.process.parent_process.file.creator.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_domain and actor.process.parent_process.file.creator.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.email_addr |
about.user.email_addresses |
If the actor.process.parent_process.file.creator.email_addr log field value is not empty then, actor.process.parent_process.file.creator.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.file.creator.full_name |
about.user.user_display_name |
If the actor.process.parent_process.file.creator.full_name log field value is not empty then, actor.process.parent_process.file.creator.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.parent_process.file.creator.groups.desc |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_desc] |
Iterate through log field actor.process.parent_process.file.creator.groups, thenif the actor.process.parent_process.file.creator.groups.desc log field value is not empty then, actor_process_parent_process_file_creator_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.creator.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.groups.domain |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_domain] |
Iterate through log field actor.process.parent_process.file.creator.groups, thenif the actor.process.parent_process.file.creator.groups.domain log field value is not equal to actor_process_parent_process_file_creator_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.creator.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.parent_process.file.creator.groups, thenif the actor.proces.file.creator.groups.name log field value is not empty then, actor.process.parent_process.file.creator.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.parent_process.file.creator.groups.privileges |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.file.creator.groups, theniterate through log field actor.process.parent_process.file.creator.groups.privileges, thenif the actor.proces.file.creator.groups.privileges log field value is not empty then, actor_process_parent_process_file_creator_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.creator.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.groups.type |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_type] |
Iterate through log field actor.process.parent_process.file.creator.groups, thenif the actor.process.parent_process.file.creator.groups.type log field value is not empty then, actor_process_parent_process_file_creator_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.creator.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.groups.uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_uid] |
Iterate through log field actor.process.parent_process.file.creator.groups, thenif the actor.process.parent_process.file.creator.groups.uid log field value is not empty then, actor_process_parent_process_file_creator_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.creator.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.cost_center |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_cost_center] |
If the actor.process.parent_process.file.creator.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_cost_center and actor.process.parent_process.file.creator.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.parent_process.file.creator.ldap_person.created_time log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.parent_process.file.creator.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_deleted_time] |
If the actor.process.parent_process.file.creator.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_deleted_time and actor.process.parent_process.file.creator.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.email_addrs, thenif the actor.process.parent_process.file.creator.ldap_person.email_addrs log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.file.creator.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.parent_process.file.creator.ldap_person.employee_id log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.parent_process.file.creator.ldap_person.given_name |
about.user.first_name |
If the actor.process.parent_process.file.creator.ldap_person.given_name log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.parent_process.file.creator.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.parent_process.file.creator.ldap_person.hire_time log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.parent_process.file.creator.ldap_person.job_title |
about.user.title |
If the actor.process.parent_process.file.creator.ldap_person.job_title log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.parent_process.file.creator.ldap_person.labels |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_label_{index}] |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.labels, thenif the actor.proces.file.creator.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_labels_{index} and actor.process.parent_process.file.creator.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.parent_process.file.creator.ldap_person.last_login_time log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.parent_process.file.creator.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_ldap_cn] |
If the actor.process.parent_process.file.creator.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_ldap_cn and actor.process.parent_process.file.creator.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_ldap_dn] |
If the actor.process.parent_process.file.creator.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_ldap_dn and actor.process.parent_process.file.creator.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.parent_process.file.creator.ldap_person.leave_time log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.parent_process.file.creator.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.parent_process.file.creator.ldap_person.modified_time log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.parent_process.file.creator.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.parent_process.file.creator.ldap_person.office_location log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.file.creator.ldap_person.surname |
about.user.last_name |
If the actor.process.parent_process.file.creator.ldap_person.surname log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_account_name] |
If the actor.process.parent_process.file.creator.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_account_name and actor.process.parent_process.file.creator.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_account_type] |
If the actor.process.parent_process.file.creator.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_account_type and actor.process.parent_process.file.creator.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_account_type_id] |
If the actor.process.parent_process.file.creator.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_account_type_id and actor.process.parent_process.file.creator.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_account_uid] |
If the actor.process.parent_process.file.creator.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_account_uid and actor.process.parent_process.file.creator.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_credential_uid] |
If the actor.process.parent_process.file.creator.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_credential_uid and actor.process.parent_process.file.creator.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_domain] |
If the actor.process.parent_process.file.creator.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_domain and actor.process.parent_process.file.creator.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.parent_process.file.creator.ldap_person.manager.email_addr log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.parent_process.file.creator.ldap_person.manager.full_name log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.parent_process.file.creator.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.manager.groups, thenif the actor.process.parent_process.file.creator.ldap_person.manager.groups.desc log field value is not empty then, actor_process_parent_process_file_creator_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.creator.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.manager.groups, thenif the actor.process.parent_process.file.creator.ldap_person.manager.groups.domain log field value is not empty then, actor_process_parent_process_file_creator_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.creator.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.manager.groups, thenif the actor.process.parent_process.file.creator.ldap_person.manager.groups.name log field value is not empty then, actor_process_parent_process_file_creator_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.creator.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.manager.groups, theniterate through log field actor.process.parent_process.file.creator.ldap_person.manager.groups.privileges, thenif the actor.proces.file.creator.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_parent_process_file_creator_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.creator.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.manager.groups, thenif the actor.proces.file.creator.ldap_person.manager.groups.type log field value is not empty then, actor_process_parent_process_file_creator_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.creator.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.manager.groups, thenif the actor.proces.file.creator.ldap_person.manager.groups.uid log field value is not empty then, actor_process_parent_process_file_creator_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.creator.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.parent_process.file.creator.ldap_person.manager.name log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_type] |
If the actor.process.parent_process.file.creator.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_type and actor.process.parent_process.file.creator.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.parent_process.file.creator.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.parent_process.file.creator.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.parent_process.file.creator.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.parent_process.file.creator.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.parent_process.file.creator.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.parent_process.file.creator.ldap_person.manager.uid log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_uid_alt] |
If the actor.process.parent_process.file.creator.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_uid_alt and actor.process.parent_process.file.creator.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.parent_process.file.creator.ldap_person.manager.org.name log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.parent_process.file.creator.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_org_ou_uid] |
If the actor.process.parent_process.file.creator.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_org_ou_uid and actor.process.parent_process.file.creator.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_org_uid] |
If the actor.process.parent_process.file.creator.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_manager_org_uid and actor.process.parent_process.file.creator.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.parent_process.file.creator.ldap_person.location.city log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.continent |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_continent] |
If the actor.process.parent_process.file.creator.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_location_continent and actor.process.parent_process.file.creator.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.parent_process.file.creator.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.parent_process.file.creator.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.parent_process.file.creator.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.parent_process.file.creator.ldap_person.location.country log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.parent_process.file.creator.ldap_person.location.desc log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_is_on_premises] |
If the actor.process.parent_process.file.creator.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_location_is_on_premises and actor.process.parent_process.file.creator.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.isp |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_isp] |
If the actor.process.parent_process.file.creator.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_location_isp and actor.process.parent_process.file.creator.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_postal_code] |
If the actor.process.parent_process.file.creator.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_location_postal_code and actor.process.parent_process.file.creator.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.provider |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_provider] |
If the actor.process.parent_process.file.creator.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_ldap_person_location_provider and actor.process.parent_process.file.creator.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.parent_process.file.creator.ldap_person.location.region log field value is not empty then, actor.process.parent_process.file.creator.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.parent_process.file.creator.name |
about.user.userid |
If the actor.proces.file.creator.name log field value is not empty then, actor.process.parent_process.file.creator.name log field is mapped to the about.user.userid UDM field. |
actor.process.parent_process.file.creator.org.name |
about.user.company_name |
If the actor.proces.file.creator.org.name log field value is not empty then, actor.process.parent_process.file.creator.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.parent_process.file.creator.org.ou_name |
about.user.department |
If the actor.proces.file.creator.org.ou_name log field value is not empty then, actor.process.parent_process.file.creator.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.parent_process.file.creator.org.ou_uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_org_ou_uid] |
If the actor.process.parent_process.file.creator.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_org_ou_uid and actor.process.parent_process.file.creator.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.org.uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_org_uid] |
If the actor.process.parent_process.file.creator.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_org_uid and actor.process.parent_process.file.creator.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.type |
about.user.attribute.labels[actor_process_parent_process_file_modifier_type] |
If the actor.process.parent_process.file.creator.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_type and actor.process.parent_process.file.creator.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.type_id |
about.user.attribute.labels[actor_process_parent_process_file_modifier_type_id] |
If the actor.process.parent_process.file.creator.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_type_id and actor.process.parent_process.file.creator.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.creator.uid |
about.user.product_object_id |
If the actor.process.parent_process.file.creator.uid log field value is not empty then, actor.process.parent_process.file.creator.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.parent_process.file.creator.uid_alt |
about.user.attribute.labels[actor_process_parent_process_file_modifier_uid_alt] |
If the actor.process.parent_process.file.creator.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_creator_uid_alt and actor.process.parent_process.file.creator.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.desc |
additional.fields[actor_process_parent_process_file_desc] |
If the actor.process.parent_process.file.desc log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_desc and actor.process.parent_process.file.desc log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.hashes.algortihm |
additional.fields[actor_process_parent_process_file_hashes_{index}_algorithm] |
Iterate through log field actor.process.parent_process.file.hashes, thenif the actor.process.parent_process.file.hashes.algorithm log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_hashes_{index}_algorithm and actor.process.parent_process.file.hashes.algorithm log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.hashes.value |
principal.process.parent_process.file.md5 |
Iterate through log field actor.process.parent_process.file.hashes, thenif the index value is equal to 0 and if the actor.process.parent_process.file.hashes.algorithm_id log field value is not empty and if the actor.process.parent_process.file.hashes.algorithm_id log field value is equal to 1 then, actor.process.parent_process.file.hashes.value log field is mapped to the principal.process.parent_process.file.md5 UDM field. Else, if actor.process.parent_process.file.hashes.algorithm_id log field value is equal to 2 then, actor.process.parent_process.file.hashes.value log field is mapped to the principal.process.parent_process.file.sha1 UDM field. Else, if actor.process.parent_process.file.hashes.algorithm_id log field value is equal to 3 then, actor.process.parent_process.file.hashes.value log field is mapped to the principal.process.parent_process.file.sha256 UDM field. Else, the additional.fields.key UDM field is set to actor_process_parent_process_file_hash_{index}value and actor.process.parent_process.file.hashes.value log field is mapped to the additional.fields UDM field. Else, the additional.fields.key UDM field is set to actor_process_parent_process_file_hash{index}_value and actor.process.parent_process.file.hashes.value log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.is_system |
additional.fields[actor_process_parent_process_file_is_system] |
If the actor.process.parent_process.file.is_system log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_is_system and actor.process.parent_process.file.is_system log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.modifier.account.name |
about.user.attribute.labels[actor_process_parent_process_file_modifier_account_name] |
If the actor.process.parent_process.file.modifier.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_account_name and actor.process.parent_process.file.modifier.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.account.type |
about.user.attribute.labels[actor_process_parent_process_file_modifier_account_type] |
If the actor.process.parent_process.file.modifier.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_account_type and actor.process.parent_process.file.modifier.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.account.type_id |
about.user.attribute.labels[actor_process_parent_process_file_modifier_account_type_id] |
If the actor.process.parent_process.file.modifier.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_account_type_id and actor.process.parent_process.file.modifier.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.account.uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_account_uid] |
If the actor.process.parent_process.file.modifier.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_account_uid and actor.process.parent_process.file.modifier.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.credential_uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_credential_uid] |
If the actor.process.parent_process.file.modifier.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_credential_uid and actor.process.parent_process.file.modifier.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.domain |
about.user.attribute.labels[actor_process_parent_process_file_modifier_domain] |
If the actor.process.parent_process.file.modifier.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_domain and actor.process.parent_process.file.modifier.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.email_addr |
about.user.email_addresses |
If the actor.process.parent_process.file.modifier.email_addr log field value is not empty then, actor.process.parent_process.file.modifier.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.file.modifier.full_name |
about.user.user_display_name |
If the actor.process.parent_process.file.modifier.full_name log field value is not empty then, actor.process.parent_process.file.modifier.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.parent_process.file.modifier.groups.desc |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_desc] |
Iterate through log field actor.process.parent_process.file.modifier.groups, thenif the actor.process.parent_process.file.modifier.groups.desc log field value is not empty then, actor_process_parent_process_file_modifier_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.groups.domain |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_domain] |
Iterate through log field actor.process.parent_process.file.modifier.groups, thenif the actor.process.parent_process.file.modifier.groups.domain log field value is not equal to actor_process_parent_process_file_modifier_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.parent_process.file.modifier.groups, thenif the actor.proces.file.modifier.groups.name log field value is not empty then, actor.process.parent_process.file.modifier.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.parent_process.file.modifier.groups.privileges |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.file.modifier.groups, theniterate through log field actor.process.parent_process.file.modifier.groups.privileges, thenif the actor.proces.file.modifier.groups.privileges log field value is not empty then, actor_process_parent_process_file_modifier_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.groups.type |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_type] |
Iterate through log field actor.process.parent_process.file.modifier.groups, thenif the actor.process.parent_process.file.modifier.groups.type log field value is not empty then, actor_process_parent_process_file_modifier_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.groups.uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_groups_%{index}_uid] |
Iterate through log field actor.process.parent_process.file.modifier.groups, thenif the actor.process.parent_process.file.modifier.groups.uid log field value is not empty then, actor_process_parent_process_file_modifier_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.cost_center |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_cost_center] |
If the actor.process.parent_process.file.modifier.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_cost_center and actor.process.parent_process.file.modifier.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.parent_process.file.modifier.ldap_person.created_time log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.parent_process.file.modifier.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_deleted_time] |
If the actor.process.parent_process.file.modifier.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_deleted_time and actor.process.parent_process.file.modifier.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.email_addrs, thenif the actor.process.parent_process.file.modifier.ldap_person.email_addrs log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.file.modifier.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.parent_process.file.modifier.ldap_person.employee_id log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.parent_process.file.modifier.ldap_person.given_name |
about.user.first_name |
If the actor.process.parent_process.file.modifier.ldap_person.given_name log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.parent_process.file.modifier.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.parent_process.file.modifier.ldap_person.hire_time log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.parent_process.file.modifier.ldap_person.job_title |
about.user.title |
If the actor.process.parent_process.file.modifier.ldap_person.job_title log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.parent_process.file.modifier.ldap_person.labels |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_label_{index}] |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.labels, thenif the actor.proces.file.modifier.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_labels_{index} and actor.process.parent_process.file.modifier.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.parent_process.file.modifier.ldap_person.last_login_time log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.parent_process.file.modifier.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_ldap_cn] |
If the actor.process.parent_process.file.modifier.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_ldap_cn and actor.process.parent_process.file.modifier.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_ldap_dn] |
If the actor.process.parent_process.file.modifier.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_ldap_dn and actor.process.parent_process.file.modifier.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.parent_process.file.modifier.ldap_person.leave_time log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.parent_process.file.modifier.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.parent_process.file.modifier.ldap_person.modified_time log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.parent_process.file.modifier.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.parent_process.file.modifier.ldap_person.office_location log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.file.modifier.ldap_person.surname |
about.user.last_name |
If the actor.process.parent_process.file.modifier.ldap_person.surname log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_account_name] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_account_name and actor.process.parent_process.file.modifier.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_account_type] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_account_type and actor.process.parent_process.file.modifier.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_account_type_id] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_account_type_id and actor.process.parent_process.file.modifier.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_account_uid] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_account_uid and actor.process.parent_process.file.modifier.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_credential_uid] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_credential_uid and actor.process.parent_process.file.modifier.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_domain] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_domain and actor.process.parent_process.file.modifier.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.parent_process.file.modifier.ldap_person.manager.email_addr log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.parent_process.file.modifier.ldap_person.manager.full_name log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.manager.groups, thenif the actor.process.parent_process.file.modifier.ldap_person.manager.groups.desc log field value is not empty then, actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.manager.groups, thenif the actor.process.parent_process.file.modifier.ldap_person.manager.groups.domain log field value is not empty then, actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.manager.groups, thenif the actor.process.parent_process.file.modifier.ldap_person.manager.groups.name log field value is not empty then, actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.manager.groups, theniterate through log field actor.process.parent_process.file.modifier.ldap_person.manager.groups.privileges, thenif the actor.proces.file.modifier.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.manager.groups, thenif the actor.proces.file.modifier.ldap_person.manager.groups.type log field value is not empty then, actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.manager.groups, thenif the actor.proces.file.modifier.ldap_person.manager.groups.uid log field value is not empty then, actor_process_parent_process_file_modifier_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.modifier.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.parent_process.file.modifier.ldap_person.manager.name log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_type] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_type and actor.process.parent_process.file.modifier.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.parent_process.file.modifier.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.parent_process.file.modifier.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.parent_process.file.modifier.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.parent_process.file.modifier.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.parent_process.file.modifier.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.parent_process.file.modifier.ldap_person.manager.uid log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_uid_alt] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_uid_alt and actor.process.parent_process.file.modifier.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.parent_process.file.modifier.ldap_person.manager.org.name log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.parent_process.file.modifier.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_org_ou_uid] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_org_ou_uid and actor.process.parent_process.file.modifier.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_manager_org_uid] |
If the actor.process.parent_process.file.modifier.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_manager_org_uid and actor.process.parent_process.file.modifier.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.parent_process.file.modifier.ldap_person.location.city log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.continent |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_continent] |
If the actor.process.parent_process.file.modifier.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_location_continent and actor.process.parent_process.file.modifier.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.parent_process.file.modifier.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.parent_process.file.modifier.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.parent_process.file.modifier.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.parent_process.file.modifier.ldap_person.location.country log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.parent_process.file.modifier.ldap_person.location.desc log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_is_on_premises] |
If the actor.process.parent_process.file.modifier.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_location_is_on_premises and actor.process.parent_process.file.modifier.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.isp |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_isp] |
If the actor.process.parent_process.file.modifier.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_location_isp and actor.process.parent_process.file.modifier.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_postal_code] |
If the actor.process.parent_process.file.modifier.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_location_postal_code and actor.process.parent_process.file.modifier.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.provider |
about.user.attribute.labels[actor_process_parent_process_file_modifier_ldap_person_location_provider] |
If the actor.process.parent_process.file.modifier.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_ldap_person_location_provider and actor.process.parent_process.file.modifier.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.parent_process.file.modifier.ldap_person.location.region log field value is not empty then, actor.process.parent_process.file.modifier.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.parent_process.file.modifier.name |
about.user.userid |
If the actor.proces.file.modifier.name log field value is not empty then, actor.process.parent_process.file.modifier.name log field is mapped to the about.user.userid UDM field. |
actor.process.parent_process.file.modifier.org.name |
about.user.company_name |
If the actor.proces.file.modifier.org.name log field value is not empty then, actor.process.parent_process.file.modifier.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.parent_process.file.modifier.org.ou_name |
about.user.department |
If the actor.proces.file.modifier.org.ou_name log field value is not empty then, actor.process.parent_process.file.modifier.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.parent_process.file.modifier.org.ou_uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_org_ou_uid] |
If the actor.process.parent_process.file.modifier.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_org_ou_uid and actor.process.parent_process.file.modifier.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.org.uid |
about.user.attribute.labels[actor_process_parent_process_file_modifier_org_uid] |
If the actor.process.parent_process.file.modifier.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_org_uid and actor.process.parent_process.file.modifier.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.type |
about.user.attribute.labels[actor_process_parent_process_file_modifier_type] |
If the actor.process.parent_process.file.modifier.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_type and actor.process.parent_process.file.modifier.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.type_id |
about.user.attribute.labels[actor_process_parent_process_file_modifier_type_id] |
If the actor.process.parent_process.file.modifier.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_type_id and actor.process.parent_process.file.modifier.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.modifier.uid |
about.user.product_object_id |
If the actor.process.parent_process.file.modifier.uid log field value is not empty then, actor.process.parent_process.file.modifier.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.parent_process.file.modifier.uid_alt |
about.user.attribute.labels[actor_process_parent_process_file_modifier_uid_alt] |
If the actor.process.parent_process.file.modifier.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_modifier_uid_alt and actor.process.parent_process.file.modifier.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.names log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.owner.account.name |
about.user.attribute.labels[actor_process_parent_process_file_owner_account_name] |
If the actor.process.parent_process.file.owner.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_account_name and actor.process.parent_process.file.owner.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.account.type |
about.user.attribute.labels[actor_process_parent_process_file_owner_account_type] |
If the actor.process.parent_process.file.owner.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_account_type and actor.process.parent_process.file.owner.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.account.type_id |
about.user.attribute.labels[actor_process_parent_process_file_owner_account_type_id] |
If the actor.process.parent_process.file.owner.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_account_type_id and actor.process.parent_process.file.owner.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.account.uid |
about.user.attribute.labels[actor_process_parent_process_file_owner_account_uid] |
If the actor.process.parent_process.file.owner.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_account_uid and actor.process.parent_process.file.owner.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.credential_uid |
about.user.attribute.labels[actor_process_parent_process_file_owner_credential_uid] |
If the actor.process.parent_process.file.owner.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_credential_uid and actor.process.parent_process.file.owner.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.domain |
about.user.attribute.labels[actor_process_parent_process_file_owner_domain] |
If the actor.process.parent_process.file.owner.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_domain and actor.process.parent_process.file.owner.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.email_addr |
about.user.email_addresses |
If the actor.process.parent_process.file.owner.email_addr log field value is not empty then, actor.process.parent_process.file.owner.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.file.owner.full_name |
about.user.user_display_name |
If the actor.process.parent_process.file.owner.full_name log field value is not empty then, actor.process.parent_process.file.owner.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.parent_process.file.owner.groups.desc |
about.user.attribute.labels[actor_process_parent_process_file_owner_groups_%{index}_desc] |
Iterate through log field actor.process.parent_process.file.owner.groups, thenif the actor.process.parent_process.file.owner.groups.desc log field value is not empty then, actor_process_parent_process_file_owner_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.owner.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.groups.domain |
about.user.attribute.labels[actor_process_parent_process_file_owner_groups_%{index}_domain] |
Iterate through log field actor.process.parent_process.file.owner.groups, thenif the actor.process.parent_process.file.owner.groups.domain log field value is not equal to actor_process_parent_process_file_owner_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.owner.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.parent_process.file.owner.groups, thenif the actor.proces.file.owner.groups.name log field value is not empty then, actor.process.parent_process.file.owner.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.parent_process.file.owner.groups.privileges |
about.user.attribute.labels[actor_process_parent_process_file_owner_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.file.owner.groups, theniterate through log field actor.process.parent_process.file.owner.groups.privileges, thenif the actor.proces.file.owner.groups.privileges log field value is not empty then, actor_process_parent_process_file_owner_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.owner.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.groups.type |
about.user.attribute.labels[actor_process_parent_process_file_owner_groups_%{index}_type] |
Iterate through log field actor.process.parent_process.file.owner.groups, thenif the actor.process.parent_process.file.owner.groups.type log field value is not empty then, actor_process_parent_process_file_owner_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.owner.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.groups.uid |
about.user.attribute.labels[actor_process_parent_process_file_owner_groups_%{index}_uid] |
Iterate through log field actor.process.parent_process.file.owner.groups, thenif the actor.process.parent_process.file.owner.groups.uid log field value is not empty then, actor_process_parent_process_file_owner_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.file.owner.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.cost_center |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_cost_center] |
If the actor.process.parent_process.file.owner.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_cost_center and actor.process.parent_process.file.owner.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.parent_process.file.owner.ldap_person.created_time log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.parent_process.file.owner.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_deleted_time] |
If the actor.process.parent_process.file.owner.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_deleted_time and actor.process.parent_process.file.owner.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.email_addrs, thenif the actor.process.parent_process.file.owner.ldap_person.email_addrs log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.file.owner.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.parent_process.file.owner.ldap_person.employee_id log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.parent_process.file.owner.ldap_person.given_name |
about.user.first_name |
If the actor.process.parent_process.file.owner.ldap_person.given_name log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.parent_process.file.owner.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.parent_process.file.owner.ldap_person.hire_time log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.parent_process.file.owner.ldap_person.job_title |
about.user.title |
If the actor.process.parent_process.file.owner.ldap_person.job_title log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.parent_process.file.owner.ldap_person.labels |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_label_{index}] |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.labels, thenif the actor.proces.file.owner.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_labels_{index} and actor.process.parent_process.file.owner.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.parent_process.file.owner.ldap_person.last_login_time log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.parent_process.file.owner.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_ldap_cn] |
If the actor.process.parent_process.file.owner.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_ldap_cn and actor.process.parent_process.file.owner.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_ldap_dn] |
If the actor.process.parent_process.file.owner.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_ldap_dn and actor.process.parent_process.file.owner.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.parent_process.file.owner.ldap_person.leave_time log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.parent_process.file.owner.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.parent_process.file.owner.ldap_person.modified_time log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.parent_process.file.owner.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.parent_process.file.owner.ldap_person.office_location log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.file.owner.ldap_person.surname |
about.user.last_name |
If the actor.process.parent_process.file.owner.ldap_person.surname log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_account_name] |
If the actor.process.parent_process.file.owner.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_account_name and actor.process.parent_process.file.owner.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_account_type] |
If the actor.process.parent_process.file.owner.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_account_type and actor.process.parent_process.file.owner.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_account_type_id] |
If the actor.process.parent_process.file.owner.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_account_type_id and actor.process.parent_process.file.owner.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_account_uid] |
If the actor.process.parent_process.file.owner.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_account_uid and actor.process.parent_process.file.owner.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_credential_uid] |
If the actor.process.parent_process.file.owner.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_credential_uid and actor.process.parent_process.file.owner.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_domain] |
If the actor.process.parent_process.file.owner.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_domain and actor.process.parent_process.file.owner.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.parent_process.file.owner.ldap_person.manager.email_addr log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.parent_process.file.owner.ldap_person.manager.full_name log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.parent_process.file.owner.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.manager.groups, thenif the actor.process.parent_process.file.owner.ldap_person.manager.groups.desc log field value is not empty then, actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.owner.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.manager.groups, thenif the actor.process.parent_process.file.owner.ldap_person.manager.groups.domain log field value is not empty then, actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.owner.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.manager.groups, thenif the actor.process.parent_process.file.owner.ldap_person.manager.groups.name log field value is not empty then, actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.owner.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.manager.groups, theniterate through log field actor.process.parent_process.file.owner.ldap_person.manager.groups.privileges, thenif the actor.proces.file.owner.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.owner.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.manager.groups, thenif the actor.proces.file.owner.ldap_person.manager.groups.type log field value is not empty then, actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.owner.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.manager.groups, thenif the actor.proces.file.owner.ldap_person.manager.groups.uid log field value is not empty then, actor_process_parent_process_file_owner_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.file.owner.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.parent_process.file.owner.ldap_person.manager.name log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_type] |
If the actor.process.parent_process.file.owner.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_type and actor.process.parent_process.file.owner.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.parent_process.file.owner.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.parent_process.file.owner.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.parent_process.file.owner.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.parent_process.file.owner.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.parent_process.file.owner.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.parent_process.file.owner.ldap_person.manager.uid log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_uid_alt] |
If the actor.process.parent_process.file.owner.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_uid_alt and actor.process.parent_process.file.owner.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.parent_process.file.owner.ldap_person.manager.org.name log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.parent_process.file.owner.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_org_ou_uid] |
If the actor.process.parent_process.file.owner.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_org_ou_uid and actor.process.parent_process.file.owner.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_parent_process_file_owner_ldap_person_manager_org_uid] |
If the actor.process.parent_process.file.owner.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_manager_org_uid and actor.process.parent_process.file.owner.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.parent_process.file.owner.ldap_person.location.city log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.continent |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_location_continent] |
If the actor.process.parent_process.file.owner.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_location_continent and actor.process.parent_process.file.owner.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.parent_process.file.owner.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.parent_process.file.owner.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.parent_process.file.owner.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.parent_process.file.owner.ldap_person.location.country log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.parent_process.file.owner.ldap_person.location.desc log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_location_is_on_premises] |
If the actor.process.parent_process.file.owner.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_location_is_on_premises and actor.process.parent_process.file.owner.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.isp |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_location_isp] |
If the actor.process.parent_process.file.owner.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_location_isp and actor.process.parent_process.file.owner.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_location_postal_code] |
If the actor.process.parent_process.file.owner.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_location_postal_code and actor.process.parent_process.file.owner.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.provider |
about.user.attribute.labels[actor_process_parent_process_file_owner_ldap_person_location_provider] |
If the actor.process.parent_process.file.owner.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_ldap_person_location_provider and actor.process.parent_process.file.owner.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.parent_process.file.owner.ldap_person.location.region log field value is not empty then, actor.process.parent_process.file.owner.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.parent_process.file.owner.name |
about.user.userid |
If the actor.proces.file.owner.name log field value is not empty then, actor.process.parent_process.file.owner.name log field is mapped to the about.user.userid UDM field. |
actor.process.parent_process.file.owner.org.name |
about.user.company_name |
If the actor.proces.file.owner.org.name log field value is not empty then, actor.process.parent_process.file.owner.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.parent_process.file.owner.org.ou_name |
about.user.department |
If the actor.proces.file.owner.org.ou_name log field value is not empty then, actor.process.parent_process.file.owner.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.parent_process.file.owner.org.ou_uid |
about.user.attribute.labels[actor_process_parent_process_file_owner_org_ou_uid] |
If the actor.process.parent_process.file.owner.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_org_ou_uid and actor.process.parent_process.file.owner.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.org.uid |
about.user.attribute.labels[actor_process_parent_process_file_owner_org_uid] |
If the actor.process.parent_process.file.owner.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_org_uid and actor.process.parent_process.file.owner.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.type |
about.user.attribute.labels[actor_process_parent_process_file_owner_type] |
If the actor.process.parent_process.file.owner.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_type and actor.process.parent_process.file.owner.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.owner.type_id |
about.user.attribute.labels[actor_process_parent_process_file_owner_type_id] |
If the actor.process.parent_process.file.owner.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_type_id and actor.process.parent_process.file.owner.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.file.owner.uid |
about.user.product_object_id |
If the actor.process.parent_process.file.owner.uid log field value is not empty then, actor.process.parent_process.file.owner.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.parent_process.file.owner.uid_alt |
about.user.attribute.labels[actor_process_parent_process_file_owner_uid_alt] |
If the actor.process.parent_process.file.owner.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_file_owner_uid_alt and actor.process.parent_process.file.owner.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.file.parent_folder |
additional.fields[actor_process_parent_process_file_parent_folder] |
If the actor.process.parent_process.file.parent_folder log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_parent_folder and actor.process.parent_process.file.parent_folder log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.product.cpe_name |
additional.fields[actor_process_parent_process_file_product_cpe_name] |
If the actor.process.parent_process.file.product.cpe_name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_cpe_name and actor.process.parent_process.file.product.cpe_name log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.feature.name |
additional.fields[actor_process_parent_process_file_product_feature_name] |
If the actor.process.parent_process.file.product.feature.name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_feature_name and actor.process.parent_process.file.product.feature.name log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.feature.uid |
additional.fields[actor_process_parent_process_file_product_feature_uid] |
If the actor.process.parent_process.file.product.feature.uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_feature_uid and actor.process.parent_process.file.product.feature.uid log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.feature.version |
additional.fields[actor_process_parent_process_file_product_feature_version] |
If the actor.process.parent_process.file.product.feature.version log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_feature_version and actor.process.parent_process.file.product.feature.version log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.lang |
additional.fields[actor_process_parent_process_file_product_lang] |
If the actor.process.parent_process.file.product.lang log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_lang and actor.process.parent_process.file.product.lang log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.name |
additional.fields[actor_process_parent_process_file_product_name] |
If the actor.process.parent_process.file.product.name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_name and actor.process.parent_process.file.product.name log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.path |
additional.fields[actor_process_parent_process_file_product_path] |
If the actor.process.parent_process.file.product.path log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_path and actor.process.parent_process.file.product.path log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.uid |
additional.fields[actor_process_parent_process_file_product_uid] |
If the actor.process.parent_process.file.product.uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_uid and actor.process.parent_process.file.product.uid log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.uid_string |
additional.fields[actor_process_parent_process_file_product_uid_string] |
If the actor.process.parent_process.file.product.uid_string log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_uid_string and actor.process.parent_process.file.product.uid_string log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.vendor_name |
additional.fields[actor_process_parent_process_file_product_vendor_name] |
If the actor.process.parent_process.file.product.vendor_name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_vendor_name and actor.process.parent_process.file.product.vendor_name log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.product.version |
additional.fields[actor_process_parent_process_file_product_version] |
If the actor.process.parent_process.file.product.version log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_product_version and actor.process.parent_process.file.product.version log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.security_descriptor |
additional.fields[actor_process_parent_process_file_security_descriptor] |
If the actor.process.parent_process.file.security_descriptor log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_security_descriptor and actor.process.parent_process.file.security_descriptor log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.algorithm |
additional.fields[actor_process_parent_process_file_signature_algorithm] |
If the actor.process.parent_process.file.signature.algorithm log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_algorithm and actor.process.parent_process.file.signature.algorithm log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.algorithm_id |
additional.fields[actor_process_parent_process_file_signature_algorithm_id] |
If the actor.process.parent_process.file.signature.algorithm_id log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_algorithm_id and actor.process.parent_process.file.signature.algorithm_id log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.certificate.created_time |
additional.fields[actor_process_parent_process_file_signature_certificate_created_time] |
If the actor.process.parent_process.file.signature.certificate.created_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_certificate_created_time and actor.process.parent_process.file.signature.certificate.created_time log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.certificate.expiration_time |
additional.fields[actor_process_parent_process_file_signature_certificate_expiration_time] |
If the actor.process.parent_process.file.signature.certificate.expiration_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_certificate_expiration_time and actor.process.parent_process.file.signature.certificate.expiration_time log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.certificate.fingerprints.algortihm |
principal.process.parent_process.file.signature_info.sigcheck.x509.algorithm |
Iterate through log field actor.process.parent_process.file.signature.certificate.fingerprints, thenif the actor.process.parent_process.file.signature.certificate.fingerprints.algorithm log field value is not empty then, actor.process.parent_process.file.signature.certificate.fingerprints.algortihm log field is mapped to the principal.process.parent_process.file.signature_info.sigcheck.x509.algorithm UDM field. |
actor.process.parent_process.file.signature.certificate.fingerprints.value |
additional.fields[actor_process_parent_process_file_signature_certificate_fingerprints_%{index}_value] |
Iterate through log field actor.process.parent_process.file.signature.certificate.fingerprints, thenif the actor.process.parent_process.file.signature.certificate.fingerprints.value log field value is not empty then, actor_process_parent_process_file_signature_certificate_fingerprints_%{index}_value log field is mapped to the additional.fields.key UDM field and actor.process.parent_process.file.signature.certificate.fingerprints.value log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.certificate.issuer |
principal.process.parent_process.file.signature_info.sigcheck.x509.cert_issuer |
If the actor.process.parent_process.file.signature.certificate.issuer log field value is not empty then, actor.process.parent_process.file.signature.certificate.issuer log field is mapped to the principal.process.parent_process.file.signature_info.sigcheck.x509.cert_issuer UDM field. |
actor.process.parent_process.file.signature.certificate.serial_number |
principal.process.parent_process.file.signature_info.sigcheck.x509.serial_number |
If the actor.process.parent_process.file.signature.certificate.serial_number log field value is not empty then, actor.process.parent_process.file.signature.certificate.serial_number log field is mapped to the principal.process.parent_process.file.signature_info.sigcheck.x509.serial_number UDM field. |
actor.process.parent_process.file.signature.certificate.subject |
principal.process.parent_process.file.signature_info.sigcheck.x509.name |
If the actor.process.parent_process.file.signature.certificate.subject log field value is not empty then, actor.process.parent_process.file.signature.certificate.name log field is mapped to the principal.process.parent_process.file.signature_info.sigcheck.x509.name UDM field. |
actor.process.parent_process.file.signature.certificate.uid |
additional.fields[actor_process_parent_process_file_signature_certificate_uid] |
If the actor.process.parent_process.file.signature.certificate.uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_certificate_uid and actor.process.parent_process.file.signature.certificate.uid log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.certificate.version |
additional.fields[actor_process_parent_process_file_signature_certificate_version] |
If the actor.process.parent_process.file.signature.certificate.version log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_certificate_version and actor.process.parent_process.file.signature.certificate.version log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.created_time |
additonal.fields[actor_process_parent_process_file_signature_created_time] |
If the actor.process.parent_process.file.signature.created_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_created_time and actor.process.parent_process.file.signature.created_time log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.developer_uid |
principal.process.parent_process.file.signature_info.sigcheck.signers.name |
If the actor.process.parent_process.file.signature.developer_uid log field value is not empty then, actor.process.parent_process.file.signature.developer_uid log field is mapped to the principal.process.parent_process.file.signature_info.sigcheck.signers.name UDM field. |
actor.process.parent_process.file.signature.digest.algortihm |
additional.fields[actor_process_parent_process_file_signature_digest_algorithm] |
If the actor.process.parent_process.file.signature.digest.algorithm log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_digest_algorithm and actor.process.parent_process.file.signature.digest.algorithm log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.signature.digest.value |
additional.fields[actor_process_parent_process_file_signature_digest_value] |
If the actor.process.parent_process.file.signature.digest.value log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_signature_digest_value and actor.process.parent_process.file.signature.digest.value log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.file.type |
additional.fields[actor_process_parent_process_file_type] |
If the actor.process.parent_process.file.type log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_type and actor.process.parent_process.file.type log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.type_id |
additional.fields[actor_process_parent_process_file_type_id] |
If the actor.process.parent_process.file.type_id log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_type_id and actor.process.parent_process.file.type_id log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.uid |
principal.process.parent_process.file.stat_inode |
If the actor.process.parent_process.file.uid log field value is not empty then, actor.process.parent_process.file.uid log field is mapped to the principal.process.parent_process.file.stat_inode UDM field. |
actor.process.parent_process.file.version |
additional.fields[actor_process_parent_process_file_version] |
If the actor.process.parent_process.file.version log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_file_version and actor.process.parent_process.file.version log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.file.xattributes |
additional.fields[actor_process_parent_process_file_xattributes] |
Iterate for each key, value pair of log field actor.process.parent_process.file.xattributes, thenif the actor.process.parent_process.file.xattributes log field value is not empty then, key log field is mapped to the additional.fields.key UDM field and value log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.integrity |
additional.fields[actor_process_parent_process_integrity] |
If the actor.process.parent_process.integrity log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_integrity and actor.process.parent_process.integrity log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.integrity_id |
principal.process.parent_process.integrity_level_rid |
If the actor.process.parent_process.integrity_id log field value is not empty then, actor.process.parent_process.integrity_id log field is mapped to the principal.process.parent_process.integrity_level_rid UDM field. |
actor.process.parent_process.lineage |
principal.process.parent_process.command_line_history |
Iterate through log field actor.process.parent_process.lineage, thenif the actor.process.parent_process.lineage log field value is not empty then, actor.process.parent_process.lineage log field is mapped to the principal.process.parent_process.command_line_history UDM field. |
actor.process.parent_process.integrity.loaded_modules |
additional.fields[actor_process_parent_process_loaded_modules_%{index}] |
Iterate through log field actor.process.parent_process.loaded_modules, thenif the actor.process.parent_process.loaded_modules log field value is not empty then, actor_process_parent_process_loaded_modules_%{index} log field is mapped to the additional.fields.key UDM field and actor.process.parent_process.loaded_modules log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.name |
additional.fields[actor_process_parent_process_name] |
If the actor.process.parent_process.name log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_name and actor.process.parent_process.name log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.sandbox |
additional.fields[actor_process_parent_process_sandbox] |
If the actor.process.parent_process.sandbox log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_sandbox and actor.process.parent_process.sandbox log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.count |
additional.fields[actor_process_parent_process_session_count] |
If the actor.process.parent_process.session.count log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_count and actor.process.parent_process.session.count log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.created_time |
additional.fields[actor_process_parent_process_session_created_time] |
If the actor.process.parent_process.session.created_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_created_time and actor.process.parent_process.session.created_time log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.credential_uid |
additional.fields[actor_process_parent_process_session_credential_uid] |
If the actor.process.parent_process.session.credential_uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_credential_uid and actor.process.parent_process.session.credential_uid log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.expiration_reason |
additional.fields[actor_process_parent_process_session_expiration_reason] |
If the actor.process.parent_process.session.expiration_reason log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_expiration_reason and actor.process.parent_process.session.expiration_reason log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.expiration_time |
additional.fields[actor_process_parent_process_session_expiration_time] |
If the actor.process.parent_process.session.expiration_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_expiration_time and actor.process.parent_process.session.expiration_time log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.is_mfa |
additional.fields[actor_process_parent_process_session_is_mfa] |
If the actor.process.parent_process.session.is_mfa log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_is_mfa and actor.process.parent_process.session.is_mfa log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.is_remote |
additional.fields[actor_process_parent_process_session_is_remote] |
If the actor.process.parent_process.session.is_remote log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_is_remote and actor.process.parent_process.session.is_remote log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.is_vpn |
additional.fields[actor_process_parent_process_session_is_vpn] |
If the actor.process.parent_process.session.is_vpn log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_is_vpn and actor.process.parent_process.session.is_vpn log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.issuer |
additional.fields[actor_process_parent_process_session_issuer] |
If the actor.process.parent_process.session.issuer log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_issuer and actor.process.parent_process.session.issuer log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.terminal |
additional.fields[actor_process_parent_process_session_terminal] |
If the actor.process.parent_process.session.terminal log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_terminal and actor.process.parent_process.session.terminal log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.uid |
additional.fields[actor_process_parent_process_session_uid] |
If the actor.process.parent_process.session.uid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_uid and actor.process.parent_process.session.uid log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.uid_alt |
additional.fields[actor_process_parent_process_session_uid_alt] |
If the actor.process.parent_process.session.uid_alt log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_uid_alt and actor.process.parent_process.session.uid_alt log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.session.uuid |
additional.fields[actor_process_parent_process_session_uuid] |
If the actor.process.parent_process.session.uuid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_session_uuid and actor.process.parent_process.session.uuid log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.terminated_time |
additional.fields[actor_process_parent_process_terminated_time] |
If the actor.process.parent_process.terminated_time log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_terminated_time and actor.process.parent_process.terminated_time log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.tid |
additional.fields[actor_process_parent_process_tid] |
If the actor.process.parent_process.tid log field value is not empty then, the additional.fields.key UDM field is set to actor_process_parent_process_tid and actor.process.parent_process.tid log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_parent_process_id |
If the actor.process.parent_process.uid log field value is not empty then,. |
actor.process.parent_process.xattributes |
additional.fields[actor_process_parent_process_xattributes] |
Iterate for each key, value pair of log field actor.process.parent_process.xattributes, thenif the actor.process.parent_process.xattributes log field value is not empty then, key log field is mapped to the additional.fields.key UDM field and value log field is mapped to the additional.fields UDM field. |
actor.process.parent_process.user.account.name |
about.user.attribute.labels[actor_process_parent_process_user_account_name] |
If the actor.process.parent_process.user.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_account_name and actor.process.parent_process.user.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.account.type |
about.user.attribute.labels[actor_process_parent_process_user_account_type] |
If the actor.process.parent_process.user.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_account_type and actor.process.parent_process.user.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.account.type_id |
about.user.attribute.labels[actor_process_parent_process_user_account_type_id] |
If the actor.process.parent_process.user.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_account_type_id and actor.process.parent_process.user.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.account.uid |
about.user.attribute.labels[actor_process_parent_process_user_account_uid] |
If the actor.process.parent_process.user.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_account_uid and actor.process.parent_process.user.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.credential_uid |
about.user.attribute.labels[actor_process_parent_process_user_credential_uid] |
If the actor.process.parent_process.user.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_credential_uid and actor.process.parent_process.user.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.domain |
about.user.attribute.labels[actor_process_parent_process_user_domain] |
If the actor.process.parent_process.user.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_domain and actor.process.parent_process.user.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.email_addr |
about.user.email_addresses |
If the actor.process.parent_process.user.email_addr log field value is not empty then, actor.process.parent_process.user.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.user.full_name |
about.user.user_display_name |
If the actor.process.parent_process.user.full_name log field value is not empty then, actor.process.parent_process.user.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.parent_process.user.groups.desc |
about.user.attribute.labels[actor_process_parent_process_user_groups_%{index}_desc] |
Iterate through log field actor.process.parent_process.user.groups, thenif the actor.process.parent_process.user.groups.desc log field value is not empty then, actor_process_parent_process_user_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.user.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.groups.domain |
about.user.attribute.labels[actor_process_parent_process_user_groups_%{index}_domain] |
Iterate through log field actor.process.parent_process.user.groups, thenif the actor.process.parent_process.user.groups.domain log field value is not empty then, actor_process_parent_process_user_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.user.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.parent_process.user.groups, thenif the actor.process.parent_process.user.groups.name log field value is not empty then, actor.process.parent_process.user.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.parent_process.user.groups.privileges |
about.user.attribute.labels[actor_process_parent_process_user_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.user.groups, theniterate through log field actor.process.parent_process.user.groups.privileges, thenif the actor.process.parent_process.user.groups.privileges log field value is not empty then, actor_process_parent_process_user_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.user.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.groups.type |
about.user.attribute.labels[actor_process_parent_process_user_groups_%{index}_type] |
Iterate through log field actor.process.parent_process.user.groups, thenif the actor.process.parent_process.user.groups.type log field value is not empty then, actor_process_parent_process_user_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.user.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.groups.uid |
about.user.attribute.labels[actor_process_parent_process_user_groups_%{index}_uid] |
Iterate through log field actor.process.parent_process.user.groups, thenif the actor.process.parent_process.user.groups.uid log field value is not empty then, actor_process_parent_process_user_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.parent_process.user.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.cost_center |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_cost_center] |
If the actor.process.parent_process.user.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_cost_center and actor.process.parent_process.user.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.parent_process.user.ldap_person.created_time log field value is not empty then, actor.process.parent_process.user.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.parent_process.user.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_deleted_time] |
If the actor.process.parent_process.user.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_deleted_time and actor.process.parent_process.user.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.parent_process.user.ldap_person.email_addrs, thenif the actor.process.parent_process.user.ldap_person.email_addrs log field value is not empty then, actor.process.parent_process.user.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.parent_process.user.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.parent_process.user.ldap_person.employee_id log field value is not empty then, actor.process.parent_process.user.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.parent_process.user.ldap_person.given_name |
about.user.first_name |
If the actor.process.parent_process.user.ldap_person.given_name log field value is not empty then, actor.process.parent_process.user.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.parent_process.user.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.parent_process.user.ldap_person.hire_time log field value is not empty then, actor.process.parent_process.user.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.parent_process.user.ldap_person.job_title |
about.user.title |
If the actor.process.parent_process.user.ldap_person.job_title log field value is not empty then, actor.process.parent_process.user.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.parent_process.user.ldap_person.labels |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_label_{index}] |
Iterate through log field actor.process.parent_process.user.ldap_person.labels, thenif the actor.process.parent_process.user.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_labels_{index} and actor.process.parent_process.user.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.parent_process.user.ldap_person.last_login_time log field value is not empty then, actor.process.parent_process.user.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.parent_process.user.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_ldap_cn] |
If the actor.process.parent_process.user.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_ldap_cn and actor.process.parent_process.user.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_ldap_dn] |
If the actor.process.parent_process.user.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_ldap_dn and actor.process.parent_process.user.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.parent_process.user.ldap_person.leave_time log field value is not empty then, actor.process.parent_process.user.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.parent_process.user.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.parent_process.user.ldap_person.modified_time log field value is not empty then, actor.process.parent_process.user.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.parent_process.user.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.parent_process.user.ldap_person.office_location log field value is not empty then, actor.process.parent_process.user.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.user.ldap_person.surname |
about.user.last_name |
If the actor.process.parent_process.user.ldap_person.surname log field value is not empty then, actor.process.parent_process.user.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.parent_process.user.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_account_name] |
If the actor.process.parent_process.user.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_account_name and actor.process.parent_process.user.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_account_type] |
If the actor.process.parent_process.user.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_account_type and actor.process.parent_process.user.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_account_type_id] |
If the actor.process.parent_process.user.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_account_type_id and actor.process.parent_process.user.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_account_uid] |
If the actor.process.parent_process.user.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_account_uid and actor.process.parent_process.user.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_credential_uid] |
If the actor.process.parent_process.user.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_credential_uid and actor.process.parent_process.user.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_domain] |
If the actor.process.parent_process.user.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_domain and actor.process.parent_process.user.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.parent_process.user.ldap_person.manager.email_addr log field value is not empty then, actor.process.parent_process.user.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.parent_process.user.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.parent_process.user.ldap_person.manager.full_name log field value is not empty then, actor.process.parent_process.user.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.parent_process.user.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.parent_process.user.ldap_person.manager.groups, thenif the actor.process.parent_process.user.ldap_person.manager.groups.desc log field value is not empty then, actor_process_parent_process_user_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.user.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.parent_process.user.ldap_person.manager.groups, thenif the actor.process.parent_process.user.ldap_person.manager.groups.domain log field value is not empty then, actor_process_parent_process_user_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.user.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.parent_process.user.ldap_person.manager.groups, thenif the actor.process.parent_process.user.ldap_person.manager.groups.name log field value is not empty then, actor_process_parent_process_user_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.user.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.parent_process.user.ldap_person.manager.groups, theniterate through log field actor.process.parent_process.user.ldap_person.manager.groups.privileges, thenif the actor.process.parent_process.user.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_parent_process_user_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.user.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.parent_process.user.ldap_person.manager.groups, thenif the actor.process.parent_process.user.ldap_person.manager.groups.type log field value is not empty then, actor_process_parent_process_user_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.user.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.parent_process.user.ldap_person.manager.groups, thenif the actor.process.parent_process.user.ldap_person.manager.groups.uid log field value is not empty then, actor_process_parent_process_user_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.parent_process.user.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.parent_process.user.ldap_person.manager.name log field value is not empty then, actor.process.parent_process.user.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.parent_process.user.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_type] |
If the actor.process.parent_process.user.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_type and actor.process.parent_process.user.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.parent_process.user.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.parent_process.user.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.parent_process.user.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.parent_process.user.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.parent_process.user.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.parent_process.user.ldap_person.manager.uid log field value is not empty then, actor.process.parent_process.user.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.parent_process.user.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_uid_alt] |
If the actor.process.parent_process.user.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_uid_alt and actor.process.parent_process.user.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.parent_process.user.ldap_person.manager.org.name log field value is not empty then, actor.process.parent_process.user.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.parent_process.user.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.parent_process.user.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.parent_process.user.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.parent_process.user.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_org_ou_uid] |
If the actor.process.parent_process.user.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_org_ou_uid and actor.process.parent_process.user.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_parent_process_user_ldap_person_manager_org_uid] |
If the actor.process.parent_process.user.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_manager_org_uid and actor.process.parent_process.user.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.parent_process.user.ldap_person.location.city log field value is not empty then, actor.process.parent_process.user.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.parent_process.user.ldap_person.location.continent |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_location_continent] |
If the actor.process.parent_process.user.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_location_continent and actor.process.parent_process.user.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.parent_process.user.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.parent_process.user.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.parent_process.user.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.parent_process.user.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.parent_process.user.ldap_person.location.country log field value is not empty then, actor.process.parent_process.user.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.parent_process.user.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.parent_process.user.ldap_person.location.desc log field value is not empty then, actor.process.parent_process.user.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.parent_process.user.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_location_is_on_premises] |
If the actor.process.parent_process.user.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_location_is_on_premises and actor.process.parent_process.user.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.location.isp |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_location_isp] |
If the actor.process.parent_process.user.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_location_isp and actor.process.parent_process.user.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_location_postal_code] |
If the actor.process.parent_process.user.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_location_postal_code and actor.process.parent_process.user.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.location.provider |
about.user.attribute.labels[actor_process_parent_process_user_ldap_person_location_provider] |
If the actor.process.parent_process.user.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_ldap_person_location_provider and actor.process.parent_process.user.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.parent_process.user.ldap_person.location.region log field value is not empty then, actor.process.parent_process.user.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.parent_process.user.name |
about.user.userid |
If the actor.process.parent_process.user.name log field value is not empty then, actor.process.parent_process.user.name log field is mapped to the about.user.userid UDM field. |
actor.process.parent_process.user.org.name |
about.user.company_name |
If the actor.process.parent_process.user.org.name log field value is not empty then, actor.process.parent_process.user.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.parent_process.user.org.ou_name |
about.user.department |
If the actor.process.parent_process.user.org.ou_name log field value is not empty then, actor.process.parent_process.user.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.parent_process.user.org.ou_uid |
about.user.attribute.labels[actor_process_parent_process_user_org_ou_uid] |
If the actor.process.parent_process.user.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_org_ou_uid and actor.process.parent_process.user.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.org.uid |
about.user.attribute.labels[actor_process_parent_process_user_org_uid] |
If the actor.process.parent_process.user.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_org_uid and actor.process.parent_process.user.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.type |
about.user.attribute.labels[actor_process_parent_process_user_type] |
If the actor.process.parent_process.user.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_type and actor.process.parent_process.user.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.type_id |
about.user.attribute.labels[actor_process_parent_process_user_type_id] |
If the actor.process.parent_process.user.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_type_id and actor.process.parent_process.user.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.parent_process.user.uid |
about.user.product_object_id |
If the actor.process.parent_process.user.uid log field value is not empty then, actor.process.parent_process.user.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.parent_process.user.uid_alt |
about.user.attribute.labels[actor_process_parent_process_user_uid_alt] |
If the actor.process.parent_process.user.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_parent_process_user_uid_alt and actor.process.parent_process.user.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.account.name |
about.user.attribute.labels[actor_process_user_account_name] |
If the actor.process.user.account.name log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_account_name and actor.process.user.account.name log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.account.type |
about.user.attribute.labels[actor_process_user_account_type] |
If the actor.process.user.account.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_account_type and actor.process.user.account.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.account.type_id |
about.user.attribute.labels[actor_process_user_account_type_id] |
If the actor.process.user.account.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_account_type_id and actor.process.user.account.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.account.uid |
about.user.attribute.labels[actor_process_user_account_uid] |
If the actor.process.user.account.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_account_uid and actor.process.user.account.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.credential_uid |
about.user.attribute.labels[actor_process_user_credential_uid] |
If the actor.process.user.credential_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_credential_uid and actor.process.user.credential_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.domain |
about.user.attribute.labels[actor_process_user_domain] |
If the actor.process.user.domain log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_domain and actor.process.user.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.email_addr |
about.user.email_addresses |
If the actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the about.user.email_addresses UDM field. |
actor.process.user.full_name |
about.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the about.user.user_display_name UDM field. |
actor.process.user.groups.desc |
about.user.attribute.labels[actor_process_user_groups_%{index}_desc] |
Iterate through log field actor.process.user.groups, thenif the actor.process.user.groups.desc log field value is not empty then, actor_process_user_groups_%{index}_desc log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.user.groups.desc log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.groups.domain |
about.user.attribute.labels[actor_process_user_groups_%{index}_domain] |
Iterate through log field actor.process.user.groups, thenif the actor.process.user.groups.domain log field value is not empty then, actor_process_user_groups_%{index}_domain log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.user.groups.domain log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.groups.name |
about.user.group_identifiers |
Iterate through log field actor.process.user.groups, thenif the actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the about.user.group_identifiers UDM field. |
actor.process.user.groups.privileges |
about.user.attribute.labels[actor_process_user_groups_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.user.groups, theniterate through log field actor.process.user.groups.privileges, thenif the actor.process.user.groups.privileges log field value is not empty then, actor_process_user_groups_%{index}_privileges_%{index1} log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.user.groups.privileges log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.groups.type |
about.user.attribute.labels[actor_process_user_groups_%{index}_type] |
Iterate through log field actor.process.user.groups, thenif the actor.process.user.groups.type log field value is not empty then, actor_process_user_groups_%{index}_type log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.user.groups.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.groups.uid |
about.user.attribute.labels[actor_process_user_groups_%{index}_uid] |
Iterate through log field actor.process.user.groups, thenif the actor.process.user.groups.uid log field value is not empty then, actor_process_user_groups_%{index}_uid log field is mapped to the about.user.attribute.labels.key UDM field and actor.process.user.groups.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.cost_center |
about.user.attribute.labels[actor_process_user_ldap_person_cost_center] |
If the actor.process.user.ldap_person.cost_center log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_cost_center and actor.process.user.ldap_person.cost_center log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.created_time |
about.user.attribute.creation_time |
If the actor.process.user.ldap_person.created_time log field value is not empty then, actor.process.user.ldap_person.created_time log field is mapped to the about.user.attribute.creation_time UDM field. |
actor.process.user.ldap_person.deleted_time |
about.user.attribute.labels[actor_process_user_ldap_person_deleted_time] |
If the actor.process.user.ldap_person.deleted_time log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_deleted_time and actor.process.user.ldap_person.deleted_time log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.email_addrs |
about.user.email_addresses |
Iterate through log field actor.process.user.ldap_person.email_addrs, thenif the actor.process.user.ldap_person.email_addrs log field value is not empty then, actor.process.user.ldap_person.email_addrs log field is mapped to the about.user.email_addresses UDM field. |
actor.process.user.ldap_person.employee_uid |
about.user.employee_id |
If the actor.process.user.ldap_person.employee_id log field value is not empty then, actor.process.user.ldap_person.employee_id log field is mapped to the about.user.employee_id UDM field. |
actor.process.user.ldap_person.given_name |
about.user.first_name |
If the actor.process.user.ldap_person.given_name log field value is not empty then, actor.process.user.ldap_person.given_name log field is mapped to the about.user.first_name UDM field. |
actor.process.user.ldap_person.hire_time |
about.user.hire_date |
If the actor.process.user.ldap_person.hire_time log field value is not empty then, actor.process.user.ldap_person.hire_time log field is mapped to the about.user.hire_date UDM field. |
actor.process.user.ldap_person.job_title |
about.user.title |
If the actor.process.user.ldap_person.job_title log field value is not empty then, actor.process.user.ldap_person.job_title log field is mapped to the about.user.title UDM field. |
actor.process.user.ldap_person.labels |
about.user.attribute.labels[actor_process_user_ldap_person_label_{index}] |
Iterate through log field actor.process.user.ldap_person.labels, thenif the actor.process.user.ldap_person.labels log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_labels_{index} and actor.process.user.ldap_person.labels log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.last_login_time |
about.user.last_login_time |
If the actor.process.user.ldap_person.last_login_time log field value is not empty then, actor.process.user.ldap_person.last_login_time log field is mapped to the about.user.last_login_time UDM field. |
actor.process.user.ldap_person.ldap_cn |
about.user.attribute.labels[actor_process_user_ldap_person_ldap_cn] |
If the actor.process.user.ldap_person.ldap_cn log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_ldap_cn and actor.process.user.ldap_person.ldap_cn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.ldap_dn |
about.user.attribute.labels[actor_process_user_ldap_person_ldap_dn] |
If the actor.process.user.ldap_person.ldap_dn log field value is not equal to about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_ldap_dn and actor.process.user.ldap_person.ldap_dn log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.leave_time |
about.user.termination_date |
If the actor.process.user.ldap_person.leave_time log field value is not empty then, actor.process.user.ldap_person.leave_time log field is mapped to the about.user.termination_date UDM field. |
actor.process.user.ldap_person.modified_time |
about.user.attribute.last_update_time |
If the actor.process.user.ldap_person.modified_time log field value is not empty then, actor.process.user.ldap_person.modified_time log field is mapped to the about.user.attribute.last_update_time UDM field. |
actor.process.user.ldap_person.office_location |
about.user.office_address.name |
If the actor.process.user.ldap_person.office_location log field value is not empty then, actor.process.user.ldap_person.office_location log field is mapped to the about.user.office_address.name UDM field. |
actor.process.user.ldap_person.surname |
about.user.last_name |
If the actor.process.user.ldap_person.surname log field value is not empty then, actor.process.user.ldap_person.surname log field is mapped to the about.user.last_name UDM field. |
actor.process.user.ldap_person.manager.account.name |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_account_name] |
If the actor.process.user.ldap_person.manager.account.name log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_account_name and actor.process.user.ldap_person.manager.account.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.account.type |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_account_type] |
If the actor.process.user.ldap_person.manager.account.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_account_type and actor.process.user.ldap_person.manager.account.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.account.type_id |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_account_type_id] |
If the actor.process.user.ldap_person.manager.account.type_id log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_account_type_id and actor.process.user.ldap_person.manager.account.type_id log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.account.uid |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_account_uid] |
If the actor.process.user.ldap_person.manager.account.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_account_uid and actor.process.user.ldap_person.manager.account.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.credential_uid |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_credential_uid] |
If the actor.process.user.ldap_person.manager.credential_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_credential_uid and actor.process.user.ldap_person.manager.credential_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.domain |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_domain] |
If the actor.process.user.ldap_person.manager.domain log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_domain and actor.process.user.ldap_person.manager.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.email_addr |
about.user.managers.email_addresses |
If the actor.process.user.ldap_person.manager.email_addr log field value is not empty then, actor.process.user.ldap_person.manager.email_addr log field is mapped to the about.user.managers.email_addresses UDM field. |
actor.process.user.ldap_person.manager.full_name |
about.user.managers.user_display_name |
If the actor.process.user.ldap_person.manager.full_name log field value is not empty then, actor.process.user.ldap_person.manager.full_name log field is mapped to the about.user.managers.user_display_name UDM field. |
actor.process.user.ldap_person.manger.groups.desc |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_group_%{index}_desc] |
Iterate through log field actor.process.user.ldap_person.manager.groups, thenif the actor.process.user.ldap_person.manager.groups.desc log field value is not empty then, actor_process_user_ldap_person_manager_group_%{index}_desc log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.user.ldap_person.manager.groups.desc log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manger.groups.domain |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_group_%{index}_domain] |
Iterate through log field actor.process.user.ldap_person.manager.groups, thenif the actor.process.user.ldap_person.manager.groups.domain log field value is not empty then, actor_process_user_ldap_person_manager_group_%{index}_domain log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.user.ldap_person.manager.groups.domain log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manger.groups.name |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_group_%{index}_name] |
Iterate through log field actor.process.user.ldap_person.manager.groups, thenif the actor.process.user.ldap_person.manager.groups.name log field value is not empty then, actor_process_user_ldap_person_manager_group_%{index}_name log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.user.ldap_person.manager.groups.name log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manger.groups.privileges |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_group_%{index}_privileges_%{index1}] |
Iterate through log field actor.process.user.ldap_person.manager.groups, theniterate through log field actor.process.user.ldap_person.manager.groups.privileges, thenif the actor.process.user.ldap_person.manager.groups.privileges log field value is not empty then, actor_process_user_ldap_person_manager_group_%{index}_privileges_%{index1} log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.user.ldap_person.manager.groups.privileges log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manger.groups.type |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_group_%{index}_type] |
Iterate through log field actor.process.user.ldap_person.manager.groups, thenif the actor.process.user.ldap_person.manager.groups.type log field value is not empty then, actor_process_user_ldap_person_manager_group_%{index}_type log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.user.ldap_person.manager.groups.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manger.groups.uid |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_group_%{index}_uid] |
Iterate through log field actor.process.user.ldap_person.manager.groups, thenif the actor.process.user.ldap_person.manager.groups.uid log field value is not empty then, actor_process_user_ldap_person_manager_group_%{index}_uid log field is mapped to the about.user.managers.attribute.labels.key UDM field and actor.process.user.ldap_person.manager.groups.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.name |
about.user.managers.userid |
If the actor.process.user.ldap_person.manager.name log field value is not empty then, actor.process.user.ldap_person.manager.name log field is mapped to the about.user.managers.userid UDM field. |
actor.process.user.ldap_person.manager.type |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_type] |
If the actor.process.user.ldap_person.manager.type log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_type and actor.process.user.ldap_person.manager.type log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.type_id |
about.user.managers.attribute.roles.name |
If the actor.process.user.ldap_person.manager.type_id log field value is equal to 1 then, the about.user.managers.attribute.roles.name UDM field is set to User. Else, if the actor.process.user.ldap_person.manager.type_id log field value is equal to 2 then, the about.user.managers.attribute.roles.name UDM field is set to Admin. Else, if the actor.process.user.ldap_person.manager.type_id log field value is equal to 3 then, the about.user.managers.attribute.roles.name UDM field is set to System. Else, if the actor.process.user.ldap_person.manager.type_id log field value is equal to 0 then, the about.user.managers.attribute.roles.name UDM field is set to Unknown. Else, the about.user.managers.attribute.roles.name UDM field is set to Other. |
actor.process.user.ldap_person.manager.uid |
about.user.managers.product_object_id |
If the actor.process.user.ldap_person.manager.uid log field value is not empty then, actor.process.user.ldap_person.manager.uid log field is mapped to the about.user.managers.product_object_id UDM field. |
actor.process.user.ldap_person.manager.uid_alt |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_uid_alt] |
If the actor.process.user.ldap_person.manager.uid_alt log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_uid_alt and actor.process.user.ldap_person.manager.uid_alt log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.org.name |
about.user.managers.company_name |
If the actor.process.user.ldap_person.manager.org.name log field value is not empty then, actor.process.user.ldap_person.manager.org.name log field is mapped to the about.user.managers.company_name UDM field. |
actor.process.user.ldap_person.manager.org.ou_name |
about.user.managers.department |
If the actor.process.user.ldap_person.manager.org.ou_name log field value is not empty then, actor.process.user.ldap_person.manager.org.ou_name log field is mapped to the about.user.managers.department UDM field. |
actor.process.user.ldap_person.manager.org.ou_uid |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_org_ou_uid] |
If the actor.process.user.ldap_person.manager.org.ou_uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_org_ou_uid and actor.process.user.ldap_person.manager.org.ou_uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.manager.org.uid |
about.user.managers.attribute.labels[actor_process_user_ldap_person_manager_org_uid] |
If the actor.process.user.ldap_person.manager.org.uid log field value is not empty then, the about.user.managers.attribute.labels.key UDM field is set to actor_process_user_ldap_person_manager_org_uid and actor.process.user.ldap_person.manager.org.uid log field is mapped to the about.user.managers.attribute.labels UDM field. |
actor.process.user.ldap_person.location.city |
about.user.personal_address.city |
If the actor.process.user.ldap_person.location.city log field value is not empty then, actor.process.user.ldap_person.location.city log field is mapped to the about.user.personal_address.city UDM field. |
actor.process.user.ldap_person.location.continent |
about.user.attribute.labels[actor_process_user_ldap_person_location_continent] |
If the actor.process.user.ldap_person.location.continent log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_location_continent and actor.process.user.ldap_person.location.continent log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.location.coordinates |
about.user.office_address.region_coordinates.lattitude & longitude |
Iterate through log field actor.process.user.ldap_person.location.coordinates, thenif the index value is equal to 0 then, actor.process.user.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.longitude UDM field. Else, actor.process.user.ldap_person.location.coordinates log field is mapped to the about.user.office_address.region_coordinates.latitude UDM field. |
actor.process.user.ldap_person.location.country |
about.user.office_address.country_or_region |
If the actor.process.user.ldap_person.location.country log field value is not empty then, actor.process.user.ldap_person.location.country log field is mapped to the about.user.personal_address.country_or_region UDM field. |
actor.process.user.ldap_person.location.desc |
about.user.office_address.name |
If the actor.process.user.ldap_person.location.desc log field value is not empty then, actor.process.user.ldap_person.location.desc log field is mapped to the about.user.office_address.name UDM field. |
actor.process.user.ldap_person.location.is_on_premises |
about.user.attribute.labels[actor_process_user_ldap_person_location_is_on_premises] |
If the actor.process.user.ldap_person.location.is_on_premises log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_location_is_on_premises and actor.process.user.ldap_person.location.is_on_premises log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.location.isp |
about.user.attribute.labels[actor_process_user_ldap_person_location_isp] |
If the actor.process.user.ldap_person.location.isp log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_location_isp and actor.process.user.ldap_person.location.isp log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.location.postal_code |
about.user.attribute.labels[actor_process_user_ldap_person_location_postal_code] |
If the actor.process.user.ldap_person.location.postal_code log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_location_postal_code and actor.process.user.ldap_person.location.postal_code log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.location.provider |
about.user.attribute.labels[actor_process_user_ldap_person_location_provider] |
If the actor.process.user.ldap_person.location.provider log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_ldap_person_location_provider and actor.process.user.ldap_person.location.provider log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.ldap_person.location.region |
about.user.office_address.state |
If the actor.process.user.ldap_person.location.region log field value is not empty then, actor.process.user.ldap_person.location.region log field is mapped to the about.user.office_address.state UDM field. |
actor.process.user.name |
about.user.userid |
If the actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the about.user.userid UDM field. |
actor.process.user.org.name |
about.user.company_name |
If the actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the about.user.company_name UDM field. |
actor.process.user.org.ou_name |
about.user.department |
If the actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the about.user.department UDM field. |
actor.process.user.org.ou_uid |
about.user.attribute.labels[actor_process_user_org_ou_uid] |
If the actor.process.user.org.ou_uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_org_ou_uid and actor.process.user.org.ou_uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.org.uid |
about.user.attribute.labels[actor_process_user_org_uid] |
If the actor.process.user.org.uid log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_org_uid and actor.process.user.org.uid log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.type |
about.user.attribute.labels[actor_process_user_type] |
If the actor.process.user.type log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_type and actor.process.user.type log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.type_id |
about.user.attribute.labels[actor_process_user_type_id] |
If the actor.process.user.type_id log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_type_id and actor.process.user.type_id log field is mapped to the about.user.attribute.labels UDM field. |
actor.process.user.uid |
about.user.product_object_id |
If the actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the about.user.product_object_id UDM field. |
actor.process.user.uid_alt |
about.user.attribute.labels[actor_process_user_uid_alt] |
If the actor.process.user.uid_alt log field value is not empty then, the about.user.attribute.labels.key UDM field is set to actor_process_user_uid_alt and actor.process.user.uid_alt log field is mapped to the about.user.attribute.labels UDM field. |
resources.name |
about.resource.name |
Iterate through log field resources, thenif the resources.name log field value is not empty then, resources.name log field is mapped to the about.resource.name UDM field. |
resources.type |
about.resource.resource_subtype |
Iterate through log field resources, thenif the resources.type log field value is not empty then, resources.type log field is mapped to the about.resource.resource_subtype UDM field. |
resources.uid |
about.resource.product_object_id |
Iterate through log field resources, thenif the resources.uid log field value is not empty then, resources.uid log field is mapped to the about.resource.product_object_id UDM field. |
resources.labels |
about.resource.attribute.labels[resource_details_label_%{index}] |
Iterate through log field resources, theniterate through log field resources.labels, thenif the resources.labels log field value is not empty then, resource_details_label_%{index} log field is mapped to the about.resource.attribute.labels.key UDM field and resources.labels log field is mapped to the about.resource.attribute.labels UDM field. |
resources.namespace |
about.namespace |
Iterate through log field resources, thenif the resources.namespace log field value is not empty then, resources.namespace log field is mapped to the about.namespace UDM field. |
resources.version |
about.resource.attribute.labels[version] |
Iterate through log field resources, thenif the resources.version log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to version and resources.version log field is mapped to the about.resource.attribute.labels UDM field. |
resources.criticality |
about.resource.attribute.labels[criticality] |
Iterate through log field resources, thenif the resources.criticality log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to criticality and resources.criticality log field is mapped to the about.resource.attribute.labels UDM field. |
resources.cloud_partition |
about.resource.attribute.labels[cloud_partition] |
Iterate through log field resources, thenif the resources.cloud_partition log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to cloud_partition and resources.cloud_partition log field is mapped to the about.resource.attribute.labels UDM field. |
cloud.account.name |
about.resource.attribute.labels[cloud_acc_name] |
If the cloud.account.name log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to cloud_acc_name and cloud.account.name log field is mapped to the about.resource.attribute.labels UDM field. |
cloud.account.type |
about.resource.attribute.labels[cloud_acc_type] |
If the cloud.account.type log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to cloud_acc_type and cloud.account.type log field is mapped to the about.resource.attribute.labels UDM field. |
cloud.account.type_id |
about.resource.attribute.labels[cloud_acc_type_id] |
If the cloud.account.type_id log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to cloud_acc_type_id and cloud.account.type_id log field is mapped to the about.resource.attribute.labels UDM field. |
cloud.account.uid |
about.resource.attribute.labels[cloud_acc_uid] |
If the cloud.account.uid log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to cloud_acc_uid and cloud.account.uid log field is mapped to the about.resource.attribute.labels UDM field. |
cloud.org.ou_name |
about.resource.attribute.labels[cloud_org_ou_name] |
If the cloud.org.ou_name log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to cloud_org_ou_name and cloud.org.ou_name log field is mapped to the about.resource.attribute.labels UDM field. |
cloud.org.ou_uid |
about.resource.attribute.labels[cloud_org_ou_uid] |
If the cloud.org.ou_uid log field value is not empty then, the about.resource.attribute.labels.key UDM field is set to cloud_org_ou_uid and cloud.org.ou_uid log field is mapped to the about.resource.attribute.labels UDM field. |
raw_data.triggeringEvents.id.value |
security_result.threat_id |
Iterate through log field raw_data.triggeringEvents, thenif the raw_data.triggeringEvents.id.value log field value is not empty then, raw_data.triggeringEvents.id.value log field is mapped to the security_result.threat_id UDM field. |
raw_data.triggeringEvents.name.value |
security_result.threat_name |
Iterate through log field raw_data.triggeringEvents, thenif the raw_data.triggeringEvents.name.value log field value is not empty then, raw_data.triggeringEvents.name.value log field is mapped to the security_result.threat_name UDM field. |
raw_data.triggeringEvents.description.value |
security_result.description |
Iterate through log field raw_data.triggeringEvents, thenif the raw_data.triggeringEvents.description.value log field value is not empty then, raw_data.triggeringEvents.description.value log field is mapped to the security_result.description UDM field. |
raw_data.triggeringEvents.cloudProviderUrl.value |
security_result.detection_fields[triggering_event_url] |
Iterate through log field raw_data.triggeringEvents, thenif the raw_data.triggeringEvents.cloudProviderUrl.value log field value is not empty then, the security_result.detection_fields.key UDM field is set to triggering_event_url and raw_data.triggeringEvents.cloudProviderUrl.value log field is mapped to the security_result.detection_fields.value UDM field. |
raw_data.triggeringEvents.category.value |
security_result.category_details |
Iterate through log field raw_data.triggeringEvents, thenif the raw_data.triggeringEvents.category.value log field value is not empty then, raw_data.triggeringEvents.category.value log field is mapped to the security_result.category_details UDM field. |
raw_data.triggeringEvents.source.value |
security_result.detection_fields[triggering_event_source] |
Iterate through log field raw_data.triggeringEvents, thenif the raw_data.triggeringEvents.source.value log field value is not empty then, the security_result.detection_fields.key UDM field is set to triggering_event_source and raw_data.triggeringEvents.source.value log field is mapped to the security_result.detection_fields.value UDM field. |
raw_data.triggeringEvents.origin.value |
security_result.detection_fields[triggering_event_origin] |
Iterate through log field raw_data.triggeringEvents, thenif the raw_data.triggeringEvents.origin.value log field value is not empty then, the security_result.detection_fields.key UDM field is set to triggering_event_origin and raw_data.triggeringEvents.origin.value log field is mapped to the security_result.detection_fields.value UDM field. |
raw_data.triggeringEvents.status.value |
security_result.detection_fields[triggering_event_status] |
Iterate through log field raw_data.triggeringEvents, thenif the raw_data.triggeringEvents.status.value log field value is not empty then, the security_result.detection_fields.key UDM field is set to triggering_event_status and raw_data.triggeringEvents.status.value log field is mapped to the security_result.detection_fields.value UDM field. |
raw_data.triggeringEvents.actorIPMeta.reputation.value |
security_result.detection_fields[triggering_event_actor_ip_meta_reputation] |
Iterate through log field raw_data.triggeringEvents, theniterate through log field raw_data.triggeringEvents.actorIPMeta, thenif the raw_data.triggeringEvents.actorIPMeta.reputation.value log field value is not empty then, the security_result.detection_fields.key UDM field is set to triggering_event_actor_ip_meta_reputation and raw_data.triggeringEvents.actorIPMeta.reputation.value log field is mapped to the security_result.detection_fields.value UDM field. |
raw_data.triggeringEvents.actorIPMeta.reputationDescription.value |
security_result.detection_fields[triggering_event_actor_ip_meta_reputationDescription] |
Iterate through log field raw_data.triggeringEvents, theniterate through log field raw_data.triggeringEvents.actorIPMeta, thenif the raw_data.triggeringEvents.actorIPMeta.reputationDescription.value log field value is not empty then, the security_result.detection_fields.key UDM field is set to triggering_event_actor_ip_meta_reputationDescription and raw_data.triggeringEvents.actorIPMeta.reputationDescription.value log field is mapped to the security_result.detection_fields.value UDM field. |
raw_data.triggeringEvents.actorIPMeta.reputationSource.value |
security_result.detection_fields[triggering_event_actor_ip_meta_reputationSource] |
Iterate through log field raw_data.triggeringEvents, theniterate through log field raw_data.triggeringEvents.actorIPMeta, thenif the raw_data.triggeringEvents.actorIPMeta.reputationSource.value log field value is not empty then, the security_result.detection_fields.key UDM field is set to triggering_event_actor_ip_meta_reputationSource and raw_data.triggeringEvents.actorIPMeta.reputationSource.value log field is mapped to the security_result.detection_fields.value UDM field. |
raw_data.triggeringEvents.actorIPMeta.autonomousSystemNumber.value |
security_result.detection_fields[triggering_event_actor_ip_meta_autonomousSystemNumber] |
Iterate through log field raw_data.triggeringEvents, theniterate through log field raw_data.triggeringEvents.actorIPMeta, thenif the raw_data.triggeringEvents.actorIPMeta.autonomousSystemNumber.value log field value is not empty then, the security_result.detection_fields.key UDM field is set to triggering_event_actor_ip_meta_autonomousSystemNumber and raw_data.triggeringEvents.actorIPMeta.autonomousSystemNumber.value log field is mapped to the security_result.detection_fields.value UDM field. |
class_uid |
additional.fields[class_uid] |
If the class_uid log field value is not empty then, the additional.fields.key UDM field is set to class_uid and class_uid log field is mapped to the additional.fields UDM field. |
start_time |
additional.fields[start_time] |
If the start_time log field value is not empty then, the additional.fields.key UDM field is set to start_time and start_time log field is mapped to the additional.fields UDM field. |
end_time |
additional.fields[end_time] |
If the end_time log field value is not empty then, the additional.fields.key UDM field is set to end_time and end_time log field is mapped to the additional.fields UDM field. |
type_name |
security_result.detection_fields[type_name] |
If the type_name log field value is not empty then, the security_result.detection_fields.key UDM field is set to type_name and type_name log field is mapped to the security_result.detection_fields.value UDM field. |
type_uid |
security_result.detection_fields[type_uid] |
If the type_uid log field value is not empty then, the security_result.detection_fields.key UDM field is set to type_uid and type_uid log field is mapped to the security_result.detection_fields.value UDM field. |
comment |
security_result.detection_fields[comment] |
If the comment log field value is not empty then, the security_result.detection_fields.key UDM field is set to comment and comment log field is mapped to the security_result.detection_fields.value UDM field. |
confidence |
security_result.confidence |
If the confidence log field value is not empty and if the confidence log field value matches the regular expression pattern Low then, the security_result.confidence UDM field is set to LOW_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern Medium then, the security_result.confidence UDM field is set to MEDIUM_CONFIDENCE. Else, if confidence log field value matches the regular expression pattern High then, the security_result.confidence UDM field is set to HIGH_CONFIDENCE. Else, the security_result.confidence UDM field is set to UNKNOWN_CONFIDENCE. |
confidence_score |
security_result.confidence_details |
If the confidence_score log field value is not empty then, confidence_score log field is mapped to the security_result.confidence_details UDM field. |
confidence_id |
security_result.detection_fields[confidence_id] |
If the confidence_id log field value is not empty then, the security_result.detection_fields.key UDM field is set to confidence_id and confidence_id log field is mapped to the security_result.detection_fields.value UDM field. |
count |
security_result.detection_fields[count] |
If the count log field value is not empty then, the security_result.detection_fields.key UDM field is set to count and count log field is mapped to the security_result.detection_fields.value UDM field. |
duration |
security_result.detection_fields[duration] |
If the duration log field value is not empty then, the security_result.detection_fields.key UDM field is set to duration and duration log field is mapped to the security_result.detection_fields.value UDM field. |
impact |
security_result.detection_fields[impact] |
If the impact log field value is not empty then, the security_result.detection_fields.key UDM field is set to impact and impact log field is mapped to the security_result.detection_fields.value UDM field. |
impact_id |
security_result.detection_fields[impact_id] |
If the impact_id log field value is not empty then, the security_result.detection_fields.key UDM field is set to impact_id and impact_id log field is mapped to the security_result.detection_fields.value UDM field. |
impact_score |
security_result.detection_fields[impact_score] |
If the impact_score log field value is not empty then, the security_result.detection_fields.key UDM field is set to impact_score and impact_score log field is mapped to the security_result.detection_fields.value UDM field. |
risk_level |
security_result.detection_fields[risk_level] |
If the risk_level log field value is not empty then, the security_result.detection_fields.key UDM field is set to risk_level and risk_level log field is mapped to the security_result.detection_fields.value UDM field. |
risk_level_id |
security_result.detection_fields[risk_level_id] |
If the risk_level_id log field value is not empty then, the security_result.detection_fields.key UDM field is set to risk_level_id and risk_level_id log field is mapped to the security_result.detection_fields.value UDM field. |
risk_score |
security_result.risk_score |
If the risk_score log field value is not empty then, risk_score log field is mapped to the security_result.risk_score UDM field. |
status |
security_result.detection_fields[status] |
If the status log field value is not empty then, the security_result.detection_fields.key UDM field is set to status and status log field is mapped to the security_result.detection_fields.value UDM field. |
status_code |
security_result.detection_fields[status_code] |
If the status_code log field value is not empty then, the security_result.detection_fields.key UDM field is set to status_code and status_code log field is mapped to the security_result.detection_fields.value UDM field. |
status_detail |
security_result.detection_fields[status_detail] |
If the status_detail log field value is not empty then, the security_result.detection_fields.key UDM field is set to status_detail and status_detail log field is mapped to the security_result.detection_fields.value UDM field. |
status_id |
security_result.detection_fields[status_id] |
If the status_id log field value is not empty then, the security_result.detection_fields.key UDM field is set to status_id and status_id log field is mapped to the security_result.detection_fields.value UDM field. |
timezone_offset |
security_result.detection_fields[timezone_offset] |
If the timezone_offset log field value is not empty then, the security_result.detection_fields.key UDM field is set to timezone_offset and timezone_offset log field is mapped to the security_result.detection_fields.value UDM field. |
disposition |
security_result.action_details |
If the disposition log field value is not empty then, disposition log field is mapped to the security_result.action_details UDM field. |
disposition_id |
security_result.action |
If the disposition_id log field value is not empty and if the disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 4 then, the security_result.action UDM field is set to QUARANTINE. Else, the security_result.action UDM field is set to UNKNOWN_ACTION. |
action |
security_result.detection_fields[action] |
If the action log field value is not empty then, the security_result.detection_fields.key UDM field is set to action and action log field is mapped to the security_result.detection_fields.value UDM field. |
action_id |
security_result.action |
If the action_id log field value is not empty and if the action_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if action_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if action_id log field value is equal to 4 then, the security_result.action UDM field is set to QUARANTINE. Else, the security_result.action UDM field is set to UNKNOWN_ACTION. |
class_name |
additional.fields[class_name] |
If the class_name log field value is not empty then, the additional.fields.key UDM field is set to class_name and class_name log field is mapped to the additional.fields UDM field. |
Field mapping reference: OCSF Process Activity
The following table lists the log fields for theProcess Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Process Activity and if the activity_id log field value is equal to 1 then, the metadata.event_type UDM field is set to PROCESS_LAUNCH. Else, if the activity_id log field value is equal to 2 then, the metadata.event_type UDM field is set to PROCESS_TERMINATION. Else, if the activity_id log field value is equal to 3 then, the metadata.event_type UDM field is set to PROCESS_OPEN. Else, if the activity_id log field value is equal to 4 then, the metadata.event_type UDM field is set to PROCESS_INJECTION. Else, the metadata.event_type UDM field is set to PROCESS_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the actor.process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates |
principal.asset.location.region_coordinates.longitude/latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
|
device.uid |
principal.asset.product_object_id |
|
disposition |
security_result.action_details |
|
disposition_id |
security_result.action |
If the class_name log field value is equal to Process Activity and if the disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 3 then, the security_result.action UDM field is set to QUARANTINE. |
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application' |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
module.file.accessed_time |
target.process.file.last_seen_time |
|
module.file.created_time |
target.process.file.first_seen_time |
|
module.file.mime_type |
target.process.file.mime_type |
|
module.file.modified_time |
target.process.file.last_modification_time |
|
module.file.name |
target.process.file.names |
|
module.file.path |
target.process.file.full_path |
|
module.file.signature.certificate.issuer |
target.process.file.signature_info.x509.cert_issuer |
|
module.file.signature.certificate.serial_number |
target.process.file.signature_info.x509.serial_number |
|
module.file.signature.developer_uid |
target.process.file.signature_info.sigcheck.signers.name |
|
module.file.size |
target.process.file.size |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
process.parent_process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
process.parent_process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
process.parent_process.user.full_name |
principal.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
process.parent_process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
process.parent_process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
process.parent_process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
process.parent_process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
process.parent_process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
process.parent_process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
process.parent_process.user.type_id |
principal.user.attribute.roles.name |
If the process.user.type_id log field value is empty and if the process.parent_process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.parent_process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.parent_process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.parent_process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
process.parent_process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.user.domain log field value is not empty then, process.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if process.parent_process.user.domain log field value is not empty then, process.parent_process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.user.email_addr log field value is not empty then, process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if process.parent_process.user.email_addr log field value is not empty then, process.parent_process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
process.user.full_name |
principal.user.user_display_name |
If the actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.parent_process.user.full_name log field value is not empty then, process.parent_process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if process.user.full_name log field value is not empty then, process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.user.groups.name log field value is not empty then, process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if process.parent_process.user.groups.name log field value is not empty then, process.parent_process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.user.groups.uid log field value is not empty then, process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if process.parent_process.user.groups.uid log field value is not empty then, process.parent_process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.user.name log field value is not empty then, process.user.name log field is mapped to the principal.user.userid UDM field. Else, if process.parent_process.user.name log field value is not empty then, process.parent_process.user.name log field is mapped to the principal.user.userid UDM field. |
process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.user.org.name log field value is not empty then, process.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if process.parent_process.user.org.name log field value is not empty then, process.parent_process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.user.org.ou_name log field value is not empty then, process.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if process.parent_process.user.org.ou_name log field value is not empty then, process.parent_process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
process.user.type_id |
principal.user.attribute.roles.name |
If the actor.process.user.type_id log field value is empty and if the process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.user.uid log field value is not empty then, process.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if process.parent_process.user.uid log field value is not empty then, process.parent_process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
requested_permissions |
principal.process.access_mask |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
time |
metadata.event_timestamp |
|
vulnerabilities.cve.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
vulnerabilities.cve.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
vulnerabilities.cve.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
vulnerabilities.cve.modified_time |
extensions.vulns.vulnerabilities.about.labels [vuln_cve_modified_time] |
|
vulnerabilities.kb_articles |
extensions.vulns.vulnerabilities.about.labels [vuln_kb_articles] |
|
vulnerabilities.packages.architecture |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_name] |
|
vulnerabilities.packages.release |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_release] |
|
vulnerabilities.packages.version |
extensions.vulns.vulnerabilities.about.labels [vuln_packages_version] |
|
vulnerabilities.references |
extensions.vulns.vulnerabilities.about.labels [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
extensions.vulns.vulnerabilities.about.labels [vuln_related_vulnerabilities] |
|
vulnerabilities.cve.modified_time |
additional.fields [vuln_cve_modified_time] |
|
vulnerabilities.kb_articles |
additional.fields [vuln_kb_articles] |
|
vulnerabilities.packages.architecture |
additional.fields [vuln_packages_architecture] |
|
vulnerabilities.packages.epoch |
additional.fields [vuln_packages_epoch] |
|
vulnerabilities.packages.name |
additional.fields [vuln_packages_name] |
|
vulnerabilities.packages.release |
additional.fields [vuln_packages_release] |
|
vulnerabilities.packages.version |
additional.fields [vuln_packages_version] |
|
vulnerabilities.references |
additional.fields [vuln_references] |
|
vulnerabilities.related_vulnerabilities |
additional.fields [vuln_related_vulnerabilities] |
|
vulnerabilities.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
status |
security_result.detection_fields [status] |
|
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
status_id |
security_result.detection_fields [status_id] |
|
actor.session.uid |
network.session_id |
If the actor.session.uid log field value is not equal to actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.session.uid log field value is not equal to process.session.uid log field is mapped to the network.session_id UDM field. |
actor.user.account_type |
principal.user.attribute.labels[actor_user_account_type] |
|
actor.user.account_type_id |
principal.user.attribute.labels[actor_user_account_type_id] |
|
device.os.name |
principal.asset.attribute.labels[device_os_name] |
|
device.os.type |
principal.asset.attribute.labels[device_os_type] |
|
device.type |
principal.asset.attribute.labels[device_type] |
|
actor.process.file.parent_folder |
principal.labels[actor_process_file_parent_folder] |
|
actor.process.file.type |
principal.labels[actor_process_file_type] |
|
actor.process.file.type_id |
principal.labels[actor_process_file_type_id] |
|
metadata.original_time |
about.labels[metadata_original_time] |
|
metadata.product.feature.name |
about.labels [metadata_product_feature_name] |
|
metadata.profiles |
about.labels [metadata_profiles] |
|
metadata.uid |
about.labels [metadata_uid] |
|
metadata.version |
about.labels [metadata_version] |
|
process.file.parent_folder |
principal.labels[process_file_parent_folder] |
|
process.file.type |
principal.labels[process_file_type] |
|
process.file.type_id |
principal.labels[process_file_type_id] |
|
exit_code |
about.labels [exit_code] |
|
class_uid |
about.labels [class_uid] |
|
actor.process.file.parent_folder |
additional.fields [actor_process_file_parent_folder] |
|
actor.process.file.type |
additional.fields [actor_process_file_type] |
|
actor.process.file.type_id |
additional.fields [actor_process_file_type_id] |
|
metadata.original_time |
additional.fields [metadata_original_time] |
|
metadata.product.feature.name |
additional.fields [metadata_product_feature_name] |
|
metadata.profiles |
additional.fields [metadata_profiles] |
|
metadata.uid |
additional.fields [metadata_uid] |
|
metadata.version |
additional.fields [metadata_version] |
|
process.file.parent_folder |
additional.fields [process_file_parent_folder] |
|
process.file.type |
additional.fields [process_file_type] |
|
process.file.type_id |
additional.fields [process_file_type_id] |
|
exit_code |
additional.fields [exit_code] |
|
class_uid |
additional.fields [class_uid] |
|
process.session.uid |
network.session_id |
If the actor.session.uid log field value is not equal to actor.session.uid log field is mapped to the network.session_id UDM field. Else, if process.session.uid log field value is not equal to process.session.uid log field is mapped to the network.session_id UDM field. |
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. Else, if actor.process.user.ldap_person.cost_center log field value then, actor.process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.process.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. Else, if actor.process.user.ldap_person.cost_center log field value then, actor.process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. Else, if actor.process.user.ldap_person.created_time log field value then, actor.process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.process.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. Else, if actor.process.user.ldap_person.created_time log field value then, actor.process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. Else, if actor.process.user.ldap_person.deleted_time log field value then, actor.process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.process.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. Else, if actor.process.user.ldap_person.deleted_time log field value then, actor.process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.ldap_person.email_addrs log field value then, actor.process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.ldap_person.email_addrs log field value then, actor.process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then, Else, if actor.process.user.ldap_person.employee_uid log field value then,. |
actor.process.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then, Else, if actor.process.user.ldap_person.employee_uid log field value then,. |
actor.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. Else, if actor.process.user.ldap_person.location log field value then, actor.process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.process.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. Else, if actor.process.user.ldap_person.location log field value then, actor.process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.process.user.ldap_person.given_name log field value then, actor.process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.process.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.process.user.ldap_person.given_name log field value then, actor.process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.process.user.ldap_person.hire_time log field value then, actor.process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.process.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.process.user.ldap_person.hire_time log field value then, actor.process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.process.user.ldap_person.job_title log field value then, actor.process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.process.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.process.user.ldap_person.job_title log field value then, actor.process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. Else, if actor.process.user.ldap_person.ldap_cn log field value then, actor.process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.process.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. Else, if actor.process.user.ldap_person.ldap_cn log field value then, actor.process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. Else, if actor.process.user.ldap_person.ldap_dn log field value then, actor.process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.process.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. Else, if actor.process.user.ldap_person.ldap_dn log field value then, actor.process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. Else, if actor.process.user.ldap_person.labels log field value then, actor.process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.process.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. Else, if actor.process.user.ldap_person.labels log field value then, actor.process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.process.user.ldap_person.last_login_time log field value then, actor.process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.process.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.process.user.ldap_person.last_login_time log field value then, actor.process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. Else, if actor.process.user.ldap_person.leave_time log field value then, actor.process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.process.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. Else, if actor.process.user.ldap_person.leave_time log field value then, actor.process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. Else, if actor.process.user.ldap_person.modified_time log field value then, actor.process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.process.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. Else, if actor.process.user.ldap_person.modified_time log field value then, actor.process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.process.user.ldap_person.office_location log field value then, actor.process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.process.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.process.user.ldap_person.office_location log field value then, actor.process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.process.user.ldap_person.surname log field value then, actor.process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.process.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.process.user.ldap_person.surname log field value then, actor.process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field.Else, if actor.process.user.ldap_person.manager.cost_center log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.process.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field.Else, if actor.process.user.ldap_person.manager.cost_center log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field.Else, if actor.process.user.ldap_person.manager.created_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.process.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field.Else, if actor.process.user.ldap_person.manager.created_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field.Else, if actor.process.user.ldap_person.manager.deleted_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.process.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field.Else, if actor.process.user.ldap_person.manager.deleted_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field.Else, if actor.process.user.ldap_person.manager.email_addrs log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.process.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field.Else, if actor.process.user.ldap_person.manager.email_addrs log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field.Else, if actor.process.user.ldap_person.manager.employee_uid log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.process.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field.Else, if actor.process.user.ldap_person.manager.employee_uid log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field.Else, if actor.process.user.ldap_person.manager.location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.process.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field.Else, if actor.process.user.ldap_person.manager.location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field.Else, if actor.process.user.ldap_person.manager.given_name log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.process.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field.Else, if actor.process.user.ldap_person.manager.given_name log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field.Else, if actor.process.user.ldap_person.manager.hire_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.process.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field.Else, if actor.process.user.ldap_person.manager.hire_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field.Else, if actor.process.user.ldap_person.manager.job_title log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.process.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field.Else, if actor.process.user.ldap_person.manager.job_title log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.process.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.process.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field.Else, if actor.process.user.ldap_person.manager.labels log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.process.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field.Else, if actor.process.user.ldap_person.manager.labels log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.process.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field.Else, if actor.process.user.ldap_person.manager.leave_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.process.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field.Else, if actor.process.user.ldap_person.manager.leave_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field.Else, if actor.process.user.ldap_person.manager.modified_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then %{actor.process.user.ldap_person.manager.modified_time} log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.process.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field.Else, if actor.process.user.ldap_person.manager.modified_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then %{actor.process.user.ldap_person.manager.modified_time} log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.process.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field.Else, if actor.process.user.ldap_person.manager.surname log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.process.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field.Else, if actor.process.user.ldap_person.manager.surname log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.process.user.ldap_person.groups.domain log field value then,iterate through log field actor.user.ldap_person.groups, then actor.process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.process.user.ldap_person.groups.domain log field value then,iterate through log field actor.user.ldap_person.groups, then actor.process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
additional.fields[actor.session.uid_alt] |
additional.fields[actor_session_uid_alt] |
|
additional.fields[actor.session.count] |
additional.fields[actor_session_count] |
|
additional.fields[actor.session.expiration_reason] |
additional.fields[actor_session_expiration_reason] |
|
additional.fields[actor.session.is_mfa] |
additional.fields[actor_session_is_mfa] |
|
additional.fields[actor.session.terminal] |
additional.fields[actor_session_terminal] |
|
additional.fields[actor.session.is_vpn] |
additional.fields[actor_session_is_vpn] |
|
device.zone |
principal.asset.attribute.labels[device_zone] |
|
device.groups.domain |
principal.asset.attribute.labels[device_groups_domain] |
Iterate through log field device.groups.domain, then device.groups.domain log field is mapped to the principal.asset.attribute.labels[device_domain] UDM field. |
device.os.cpe_name |
principal.asset.attribute.labels[device_os_cpe_name] |
|
process.file.signature.certificate.uid |
additional.fields[file_signature_certificate_uid] |
|
process.file.product.cpe_name |
additional.fields[file_product_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
additional.fields[metadata_product_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
Field mapping reference: OCSF Http Activity
The following table lists the log fields for theHttp Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
actor.process.cmd_line |
principal.process.command_line |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
|
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
|
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is empty then, %{actor.process.user.email_addr} log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is empty then, %{actor.process.user.full_name} log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is empty then, %{actor.process.user.groups.uid} log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is empty then, %{actor.process.user.name} log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is empty then, %{actor.process.user.org.name} log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is empty then, %{actor.process.user.org.ou_name} log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is empty then, %{actor.process.user.uid} log field is mapped to the principal.user.product_object_id UDM field. |
actor.session.uid |
network.session_id |
|
actor.user.domain |
principal.administrative_domain |
|
actor.user.email_addr |
principal.user.email_addresses |
|
actor.user.full_name |
principal.user.user_display_name |
|
actor.user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.uid |
principal.user.group_identifiers |
|
actor.user.name |
principal.user.userid |
|
actor.user.org.name |
principal.user.company_name |
|
actor.user.org.ou_name |
principal.user.department |
|
actor.user.type_id |
principal.user.attribute.roles.name |
If the type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
|
api.response.code |
network.http.response_code |
If the http_response.code log field value is empty and the http_status log field value is empty then, api.response.code log field is mapped to the network.http.response_code UDM field. |
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.name |
about.resource.name |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
connection_info.direction_id |
network.direction |
If the connection_info.direction_id log field value is equal to 1 then, the network.direction UDM field is set to INBOUND. Else, if connection_info.direction_id log field value is equal to 2 then, the network.direction UDM field is set to OUTBOUND. Else, the network.direction UDM field is set to UNKNOWN_DIRECTION. |
connection_info.protocol_num |
network.ip_protocol |
If the connection_info.protocol_num log field value is equal to 1 then, the network.ip_protocol UDM field is set to ICMP. Else, if connection_info.protocol_num log field value is equal to 2 then, the network.ip_protocol UDM field is set to IGMP. Else, if connection_info.protocol_num log field value is equal to 6 then, the network.ip_protocol UDM field is set to TCP. Else, if connection_info.protocol_num log field value is equal to 17 then, the network.ip_protocol UDM field is set to UDP. Else, if connection_info.protocol_num log field value is equal to 41 then, the network.ip_protocol UDM field is set to IP6IN4. Else, if connection_info.protocol_num log field value is equal to 47 then, the network.ip_protocol UDM field is set to GRE. Else, if connection_info.protocol_num log field value is equal to 50 then, the network.ip_protocol UDM field is set to ESP. Else, if connection_info.protocol_num log field value is equal to 58 then, the network.ip_protocol UDM field is set to ICMP6. Else, if connection_info.protocol_num log field value is equal to 88 then, the network.ip_protocol UDM field is set to EIGRP. Else, if connection_info.protocol_num log field value is equal to 97 then, the network.ip_protocol UDM field is set to ETHERIP. Else, if connection_info.protocol_num log field value is equal to 103 then, the network.ip_protocol UDM field is set to PIM. Else, if connection_info.protocol_num log field value is equal to 112 then, the network.ip_protocol UDM field is set to VRRP. Else, if connection_info.protocol_num log field value is equal to 132 then, the network.ip_protocol UDM field is set to SCTP. Else, the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL. |
connection_info.protocol_ver_id |
network.application_protocol_version |
If the connection_info.protocol_ver_id log field value is equal to 4 then, the network.application_protocol_version UDM field is set to Internet Protocol version 4 (IPv4). Else, if connection_info.protocol_ver_id log field value is equal to 6 then, the network.application_protocol_version UDM field is set to Internet Protocol version 6 (IPv6). |
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates.0 |
principal.asset.location.region_coordinates.longitude |
|
device.location.coordinates.1 |
principal.asset.location.region_coordinates.latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
If the device.type_id log field value is equal to 1 then, the principal.asset.type UDM field is set to SERVER. Else, if device.type_id log field value is equal to 2 then, the principal.asset.type UDM field is set to WORKSTATION. Else, if device.type_id log field value is equal to 3 then, the principal.asset.type UDM field is set to LAPTOP. Else, if device.type_id log field value is equal to 4 or the device.type_id log field value is equal to 5 then, the principal.asset.type UDM field is set to MOBILE. Else, if device.type_id log field value is equal to 7 then, the principal.asset.type UDM field is set to IOT. Else, the principal.asset.type UDM field is set to ROLE_UNSPECIFIED. |
device.uid |
principal.asset.product_object_id |
|
disposition |
security_result.action_details |
|
disposition_id |
security_result.action |
If the disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 4 then, the security_result.action UDM field is set to QUARANTINE. Else, the security_result.action UDM field is set to UNKNOWN_ACTION. |
dst_endpoint.domain |
target.domain.name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
|
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
dst_endpoint.svc_name |
target.application |
|
dst_endpoint.uid |
target.asset_id |
|
http_request.http_method |
network.http.method |
|
http_request.referrer |
network.http.referral_url |
|
http_request.user_agent |
network.http.user_agent |
|
http_response.code |
network.http.response_code |
|
http_status |
network.http.response_code |
If the http_response.code log field value is empty then, http_status log field is mapped to the network.http.response_code UDM field. |
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application' |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.logged_time |
metadata.collected_timestamp |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
proxy.domain |
intermediary.domain.name |
|
proxy.hostname |
intermediary.hostname |
|
proxy.intermediate_ips |
intermediary.ip |
|
proxy.ip |
intermediary.ip |
|
proxy.location.city |
intermediary.location.city |
|
proxy.location.coordinates.0 |
intermediary.location.region_coordinates.longitude |
|
proxy.location.coordinates.1 |
intermediary.location.region_coordinates.latitude |
|
proxy.location.country |
intermediary.location.country_or_region |
|
proxy.location.region |
intermediary.location.name |
|
proxy.mac |
intermediary.mac |
|
proxy.port |
intermediary.port |
|
proxy.svc_name |
intermediary.application |
|
proxy.uid |
intermediary.asset_id |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
|
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
time |
metadata.event_timestamp |
|
tls.certificate.created_time |
network.tls.client.certificate.not_before |
|
tls.certificate.expiration_time |
network.tls.client.certificate.not_after |
|
tls.certificate.issuer |
network.tls.client.certificate.issuer |
|
tls.certificate.serial_number |
network.tls.client.certificate.serial |
|
tls.certificate.subject |
network.tls.client.certificate.subject |
|
tls.certificate.version |
network.tls.client.certificate.version |
|
tls.cipher |
network.tls.cipher |
|
tls.client_ciphers |
network.tls.client.supported_ciphers |
|
tls.ja3_hash.value |
network.tls.client.ja3 |
|
tls.ja3s_hash.value |
network.tls.client.ja3s |
|
tls.sni |
network.tls.client.server_name |
|
tls.version |
network.tls.version_protocol |
|
traffic.bytes_in |
network.received_bytes |
|
traffic.bytes_out |
network.sent_bytes |
|
traffic.packets_in |
network.received_packets |
|
traffic.packets_out |
network.sent_packets |
|
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
http_request.length |
additional.fields[http_request_length] |
|
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
tls.certificate.uid |
additional.fields[tls_certificate_uid] |
|
traffic.chunks |
additional.fields[traffic_chunks] |
|
traffic.chunks_in |
additional.fields[traffic_chunks_in] |
|
traffic.chunks_out |
additional.fields[traffic_chunks_out] |
|
http_cookies.domain |
security_result.detection_fields[http_cookies_domain] |
Iterate through log field http_cookies, then http_cookies.domain log field is mapped to the security_result.detection_fields[http_cookies_domain] UDM field. |
http_cookies.expiration_time |
security_result.detection_fields[http_cookies_expiration_time] |
Iterate through log field http_cookies, then http_cookies.expiration_time log field is mapped to the security_result.detection_fields[http_cookies_expiration_time] UDM field. |
http_cookies.is_http_only |
security_result.detection_fields[http_cookies_is_http_only] |
Iterate through log field http_cookies, then http_cookies.is_http_only log field is mapped to the security_result.detection_fields[http_cookies_is_http_only] UDM field. |
http_cookies.name |
security_result.detection_fields[http_cookies_name] |
Iterate through log field http_cookies, then http_cookies.name log field is mapped to the security_result.detection_fields[http_cookies_name] UDM field. |
http_cookies.path |
security_result.detection_fields[http_cookies_path] |
Iterate through log field http_cookies, then http_cookies.path log field is mapped to the security_result.detection_fields[http_cookies_path] UDM field. |
http_cookies.samesite |
security_result.detection_fields[http_cookies_samesite] |
Iterate through log field http_cookies, then http_cookies.samesite log field is mapped to the security_result.detection_fields[http_cookies_samesite] UDM field. |
http_cookies.is_secure |
security_result.detection_fields[http_cookies_is_secure] |
Iterate through log field http_cookies, then http_cookies.is_secure log field is mapped to the security_result.detection_fields[http_cookies_is_secure] UDM field. |
http_cookies.value |
security_result.detection_fields[http_cookies_value] |
Iterate through log field http_cookies, then http_cookies.value log field is mapped to the security_result.detection_fields[http_cookies_value] UDM field. |
http_response.http_headers.name |
security_results.detection_fields[http_response_http_headers_name] |
Iterate through log field http_response.http_headers, then http_response.http_headers.name log field is mapped to the security_results.detection_fields[http_response_http_headers_name] UDM field. |
http_response.http_headers.value |
security_results.detection_fields[http_response_http_headers_value] |
Iterate through log field http_response.http_headers, then http_response.http_headers.value log field is mapped to the security_results.detection_fields[http_response_http_headers_value] UDM field. |
Field mapping reference: OCSF Network Activity
The following table lists the log fields for theNetwork Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.s service.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
activity_id |
metadata.event_type |
If the class_name log field value is equal to Network Activity then, the metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the actor.process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
connection_info.direction_id |
network.direction |
If the connection_info.direction_id log field value is equal to 1 then, the network.direction UDM field is set to INBOUND. Else, if connection_info.direction_id log field value is equal to 2 then, the network.direction UDM field is set to OUTBOUND. Else, the network.direction UDM field is set to UNKNOWN_DIRECTION. |
connection_info.protocol_num |
network.ip_protocol |
If the connection_info.protocol_num log field value is equal to 1 then, the network.ip_protocol UDM field is set to ICMP. Else, if connection_info.protocol_num log field value is equal to 2 then, the network.ip_protocol UDM field is set to IGMP. Else, if connection_info.protocol_num log field value is equal to 6 then, the network.ip_protocol UDM field is set to TCP. Else, if connection_info.protocol_num log field value is equal to 17 then, the network.ip_protocol UDM field is set to UDP. Else, if connection_info.protocol_num log field value is equal to 41 then, the network.ip_protocol UDM field is set to IP6IN4. Else, if connection_info.protocol_num log field value is equal to 47 then, the network.ip_protocol UDM field is set to GRE. Else, if connection_info.protocol_num log field value is equal to 50 then, the network.ip_protocol UDM field is set to ESP. Else, if connection_info.protocol_num log field value is equal to 58 then, the network.ip_protocol UDM field is set to ICMP6. Else, if connection_info.protocol_num log field value is equal to 88 then, the network.ip_protocol UDM field is set to EIGRP. Else, if connection_info.protocol_num log field value is equal to 97 then, the network.ip_protocol UDM field is set to ETHERIP. Else, if connection_info.protocol_num log field value is equal to 103 then, the network.ip_protocol UDM field is set to PIM. Else, if connection_info.protocol_num log field value is equal to 112 then, the network.ip_protocol UDM field is set to VRRP. Else, if connection_info.protocol_num log field value is equal to 132 then, the network.ip_protocol UDM field is set to SCTP. Else, the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL. |
connection_info.protocol_ver_id |
network.application_protocol_version |
If the connection_info.protocol_ver_id log field value is equal to 4 then, the network.application_protocol_version UDM field is set to Internet Protocol version 4 (IPv4). Else, if connection_info.protocol_ver_id log field value is equal to 6 then, the network.application_protocol_version UDM field is set to Internet Protocol version 6 (IPv6). |
dst_endpoint.svc_name |
target.application |
If the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.s service.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.domain |
target.domain.name |
|
dst_endpoint.hostname |
target.hostname |
|
dst_endpoint.ip |
target.ip |
|
dst_endpoint.location.city |
target.location.city |
|
dst_endpoint.location.country |
target.location.country_or_region |
|
dst_endpoint.location.region |
target.location.name |
|
dst_endpoint.location.coordinates |
target.location.region_coordinates.longitude/latitude |
|
dst_endpoint.mac |
target.mac |
|
dst_endpoint.port |
target.port |
|
dst_endpoint.uid |
target.asset_id |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
device.created_time |
principal.asset.attribute.creation_time |
|
device.domain |
principal.asset.network_domain |
|
device.first_seen_time |
principal.asset.first_seen_time |
|
device.hostname |
principal.asset.hostname |
|
device.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
device.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
device.hw_info.cpu_speed |
principal.asset.hardware.cpu_clock_speed |
|
device.hw_info.cpu_type |
principal.asset.hardware.cpu_model |
|
device.hw_info.ram_size |
principal.asset.hardware.ram |
|
device.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
device.ip |
principal.asset.ip |
|
device.location.city |
principal.asset.location.city |
|
device.location.coordinates |
principal.asset.location.region_coordinates.longitude/latitude |
|
device.location.country |
principal.asset.location.country_or_region |
|
device.location.region |
principal.asset.loction.name |
If the device.region log field value is empty then, device.location.region log field is mapped to the principal.asset.location.name UDM field. |
device.mac |
principal.asset.mac |
|
device.modified_time |
principal.asset.attribute.last_update_time |
|
device.os.type_id |
principal.asset.platform_software.platform |
If the device.os.type_id log field value is equal to 100 or the device.os.type_id log field value is equal to 101 then, the principal.asset.platform_software.platform UDM field is set to WINDOWS. Else, if device.os.type_id log field value is equal to 200 then, the principal.asset.platform_software.platform UDM field is set to LINUX. Else, if device.os.type_id log field value is equal to 201 then, the principal.asset.platform_software.platform UDM field is set to ANDROID. Else, if device.os.type_id log field value is equal to 300 then, the principal.asset.platform_software.platform UDM field is set to MAC. Else, if device.os.type_id log field value is equal to 301 then, the principal.asset.platform_software.platform UDM field is set to IOS. Else, the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
device.os.version |
principal.asset.platform_software.platform_version |
|
device.region |
principal.asset.location.name |
|
device.type_id |
principal.asset.type |
|
device.uid |
principal.asset.product_object_id |
|
disposition |
security_result.action_details |
|
disposition_id |
security_result.action |
If the class_name log field value contain one of the following values
disposition_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if disposition_id log field value is equal to 2 then, the security_result.action UDM field is set to BLOCK. Else, if disposition_id log field value is equal to 3 then, the security_result.action UDM field is set to QUARANTINE. |
time |
metadata.event_timestamp |
|
malware.cves.created_time |
extensions.vulns.vulnerabilities.first_found |
|
malware.cves.cvss.base_score |
extensions.vulns.vulnerabilities.cvss_base_score |
|
malware.cves.cvss.severity |
extensions.vulns.vulnerabilities.severity |
If the malware.cves.cvss.severity log field value matches the regular expression pattern Low then, the extensions.vulns.vulnerabilities.severity UDM field is set to LOW. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Medium then, the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern High then, the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH. Else, if malware.cves.cvss.severity log field value matches the regular expression pattern Critical then, the extensions.vulns.vulnerabilities.severity UDM field is set to CRITICAL. Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
malware.cves.cvss.vector_string |
extensions.vulns.vulnerabilities.cvss_vector |
|
malware.cves.cvss.version |
extensions.vulns.vulnerabilities.cvss_version |
|
malware.cves.product.name |
extensions.vulns.vulnerabilities.about.application' |
|
malware.cves.product.uid |
extensions.vulns.vulnerabilities.about.asset_id |
|
malware.cves.product.vendor_name |
extensions.vulns.vulnerabilities.vendor |
|
malware.cves.type |
extensions.vulns.vulnerabilities.name |
|
malware.cves.uid |
extensions.vulns.vulnerabilities.cve_id |
|
malware.name |
security_result.threat_name |
|
malware.uid |
security_result.threat_id |
|
message |
metadata.description |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
proxy.svc_name |
intermediary.application |
|
proxy.domain |
intermediary.domain.name |
|
proxy.hostname |
intermediary.hostname |
|
proxy.ip |
intermediary.ip |
|
proxy.location.city |
intermediary.location.city |
|
proxy.location.country |
intermediary.location.country_or_region |
|
proxy.location.region |
intermediary.location.name |
|
proxy.location.coordinates |
intermediary.location.region_coordinates.longitude/latitude |
|
proxy.mac |
intermediary.mac |
|
proxy.port |
intermediary.port |
|
proxy.uid |
intermediary.asset_id |
|
proxy.intermediate_ips |
intermediary.ip |
|
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates |
principal.location.region_coordinates.longitude/latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
tls.cipher |
network.tls.cipher |
|
tls.certificate.issuer |
network.tls.client.certificate.issuer |
|
tls.certificate.expiration_time |
network.tls.client.certificate.not_after |
|
tls.certificate.created_time |
network.tls.client.certificate.not_before |
|
tls.certificate.serial_number |
network.tls.client.certificate.serial |
|
tls.certificate.subject |
network.tls.client.certificate.subject |
|
tls.certificate.version |
network.tls.client.certificate.version |
|
tls.ja3_hash.value |
network.tls.client.ja3 |
|
tls.ja3s_hash.value |
network.tls.client.ja3s |
|
tls.sni |
network.tls.client.server_name |
|
tls.client_ciphers |
network.tls.client.supported_ciphers |
|
tls.version |
network.tls.version_protocol |
|
traffic.bytes_out |
network.received_bytes |
|
traffic.packets_out |
network.received_packets |
|
traffic.bytes_in |
network.sent_bytes |
|
traffic.packets_in |
network.sent_packets |
|
file.accessed_time |
target.file.last_seen_time |
|
file.created_time |
target.file.first_seen_time |
|
file.mime_type |
target.file.mime_type |
|
file.modified_time |
target.file.last_modification_time |
|
file.name |
target.file.names |
|
file.path |
target.file.full_path |
|
file.size |
target.file.size |
|
cloud.account_uid |
about.resource.attribute.labels [cloud_account_uid] |
|
class_uid |
about.labels [class_uid] |
|
connection_info.boundary |
about.labels [connection_info_boundary] |
|
connection_info.boundary_id |
about.labels [connection_info_boundary_id] |
|
connection_info.protocol_ver |
about.labels [connection_info_protocol_ver] |
|
connection_info.tcp_flags |
about.labels [connection_info_tcp_flags] |
|
dst_endpoint.instance_uid |
target.labels [dst_endpoint_instance_uid] |
|
dst_endpoint.interface_uid |
target.labels [dst_endpoint_interface_uid] |
|
dst_endpoint.subnet_uid |
target.labels [dst_endpoint_subnet_uid] |
|
dst_endpoint.vpc_uid |
target.labels [dst_endpoint_vpc_uid] |
|
end_time |
about.labels [end_time] |
|
metadata.product.feature.name |
about.labels [metadata_product_feature_name] |
|
metadata.profiles |
about.labels [metadata_profiles] |
|
metadata.version |
about.labels [metadata_version] |
|
traffic.bytes |
about.labels [traffic_bytes] |
|
traffic.packets |
about.labels [traffic_packets] |
|
start_time |
about.labels [start_time] |
|
class_uid |
additional.fields [class_uid] |
|
connection_info.boundary |
additional.fields [connection_info_boundary] |
|
connection_info.boundary_id |
additional.fields [connection_info_boundary_id] |
|
connection_info.protocol_ver |
additional.fields [connection_info_protocol_ver] |
|
connection_info.tcp_flags |
additional.fields [connection_info_tcp_flags] |
|
dst_endpoint.instance_uid |
additional.fields [dst_endpoint_instance_uid] |
|
dst_endpoint.interface_uid |
additional.fields [dst_endpoint_interface_uid] |
|
dst_endpoint.subnet_uid |
additional.fields [dst_endpoint_subnet_uid] |
|
dst_endpoint.vpc_uid |
additional.fields [dst_endpoint_vpc_uid] |
|
end_time |
additional.fields [end_time] |
|
metadata.product.feature.name |
additional.fields [metadata_product_feature_name] |
|
metadata.profiles |
additional.fields [metadata_profiles] |
|
metadata.version |
additional.fields [metadata_version] |
|
traffic.bytes |
additional.fields [traffic_bytes] |
|
traffic.packets |
additional.fields [traffic_packets] |
|
start_time |
additional.fields [start_time] |
|
url.query_string |
about.security_result.detection_fields[url_query_string] |
|
url.path |
about.security_result.detection_fields[url_path] |
|
url.scheme |
about.security_result.detection_fields[url_scheme] |
|
url.category_ids |
about.security_result.detection_fields[url_category_ids] |
Iterate through log field url.category_ids, then url.category_ids log field is mapped to the about.security_result.detection_fields[url_category_ids] UDM field. |
url.hostname |
about.hostname |
|
url.port |
about.port |
|
url.resource_type |
about.resource.resource_subtype |
|
url.subdomain |
about.administrative_domain |
|
url.url_string |
about.url |
|
url.categories |
about.url_metadata.categories |
Iterate through log field url.categories, then url.categories log field is mapped to the about.url_metadata.categories UDM field. |
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
tls.certificate.uid |
additional.fields[tls_certificate_uid] |
|
traffic.chunks |
additional.fields[traffic_chunks] |
|
traffic.chunks_in |
additional.fields[traffic_chunks_in] |
|
traffic.chunks_out |
additional.fields[traffic_chunks_out] |
Field mapping reference: OCSF Network File Activity
The following table lists the log fields for theNetwork File Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Network File Activity and if the activity_id log field value is equal to 4 then, the metadata.event_type UDM field is set to FILE_DELETION. Else, if activity_id log field value is equal to 3 then, the metadata.event_type UDM field is set to FILE_MODIFICATION. Else, if activity_id log field value is equal to 14 then, the metadata.event_type UDM field is set to FILE_OPEN. Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the actor.process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
file.accessed_time |
target.file.last_seen_time |
|
file.created_time |
target.file.first_seen_time |
|
file.mime_type |
target.file.mime_type |
|
file.modified_time |
target.file.last_modification_time |
|
file.name |
target.file.names |
|
file.path |
target.file.full_path |
|
file.size |
target.file.size |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates |
principal.location.region_coordinates.longitude/latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
time |
metadata.event_timestamp |
Field mapping reference: OCSF File Hosting Activity
The following table lists the log fields for theFile Hosting Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
activity_id |
metadata.event_type |
If the class_name log field value is equal to Network File Activity and if the activity_id log field value is equal to 4 then, the metadata.event_type UDM field is set to FILE_DELETION. Else, if activity_id log field value is equal to 3 then, the metadata.event_type UDM field is set to FILE_MODIFICATION. Else, if activity_id log field value is equal to 14 then, the metadata.event_type UDM field is set to FILE_OPEN. Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED. |
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. Else, if process.cmd_line log field value is not empty then, process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
If the actor.process.file.accessed_time log field value is not empty then, actor.process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. Else, if process.file.accessed_time log field value is not empty then, process.file.accessed_time log field is mapped to the principal.process.file.last_seen_time UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
If the actor.process.file.created_time log field value is not empty then, actor.process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. Else, if process.file.created_time log field value is not empty then, process.file.created_time log field is mapped to the principal.process.file.first_seen_time UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
If the actor.process.file.mime_type log field value is not empty then, actor.process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. Else, if process.file.mime_type log field value is not empty then, process.file.mime_type log field is mapped to the principal.process.file.mime_type UDM field. |
actor.process.file.modified_time |
principal.process.file.last_modification_time |
If the actor.process.file.modified_time log field value is not empty then, actor.process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. Else, if process.file.modified_time log field value is not empty then, process.file.modified_time log field is mapped to the principal.process.file.last_modification_time UDM field. |
actor.process.file.name |
principal.process.file.names |
If the actor.process.file.name log field value is not empty then, actor.process.file.name log field is mapped to the principal.process.file.names UDM field. Else, if process.file.name log field value is not empty then, process.file.name log field is mapped to the principal.process.file.names UDM field. |
actor.process.file.path |
principal.process.file.full_path |
If the actor.process.file.path log field value is not empty then, actor.process.file.path log field is mapped to the principal.process.file.full_path UDM field. Else, if process.file.path log field value is not empty then, process.file.path log field is mapped to the principal.process.file.full_path UDM field. |
actor.process.file.size |
principal.process.file.size |
If the actor.process.file.size log field value is not empty then, actor.process.file.size log field is mapped to the principal.process.file.size UDM field. Else, if process.file.size log field value is not empty then, process.file.size log field is mapped to the principal.process.file.size UDM field. |
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
If the actor.process.parent_process.cmd_line log field value is not empty then, actor.process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. Else, if process.parent_process.cmd_line log field value is not empty then, process.parent_process.cmd_line log field is mapped to the principal.process.parent_process.command_line UDM field. |
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
If the actor.process.parent_process.file.accessed_time log field value is not empty then, actor.process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. Else, if process.parent_process.file.accessed_time log field value is not empty then, process.parent_process.file.accessed_time log field is mapped to the principal.process.parent_process.file.last_seen_time UDM field. |
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
If the actor.process.parent_process.file.created_time log field value is not empty then, actor.process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. Else, if process.parent_process.file.created_time log field value is not empty then, process.parent_process.file.created_time log field is mapped to the principal.process.parent_process.file.first_seen_time UDM field. |
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
If the actor.process.parent_process.file.mime_type log field value is not empty then, actor.process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. Else, if process.parent_process.file.mime_type log field value is not empty then, process.parent_process.file.mime_type log field is mapped to the principal.process.parent_process.file.mime_type UDM field. |
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
If the actor.process.parent_process.file.modified_time log field value is not empty then, actor.process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. Else, if process.parent_process.file.modified_time log field value is not empty then, process.parent_process.file.modified_time log field is mapped to the principal.process.parent_process.file.last_modification_time UDM field. |
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
If the actor.process.parent_process.file.name log field value is not empty then, actor.process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. Else, if process.parent_process.file.name log field value is not empty then, process.parent_process.file.name log field is mapped to the principal.process.parent_process.file.names UDM field. |
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
If the actor.process.parent_process.file.path log field value is not empty then, actor.process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. Else, if process.parent_process.file.path log field value is not empty then, process.parent_process.file.path log field is mapped to the principal.process.parent_process.file.full_path UDM field. |
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
If the actor.process.parent_process.file.size log field value is not empty then, actor.process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. Else, if process.parent_process.file.size log field value is not empty then, process.parent_process.file.size log field is mapped to the principal.process.parent_process.file.size UDM field. |
actor.process.parent_process.pid |
principal.process.parent_process.pid |
If the actor.process.parent_process.pid log field value is not empty then, actor.process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. Else, if process.parent_process.pid log field value is not empty then, process.parent_process.pid log field is mapped to the principal.process.parent_process.pid UDM field. |
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, actor.process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. Else, if process.parent_process.uid log field value is not empty then, process.parent_process.uid log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field. |
actor.process.pid |
principal.process.pid |
If the actor.process.pid log field value is not empty then, actor.process.pid log field is mapped to the principal.process.pid UDM field. Else, if process.pid log field value is not empty then, process.pid log field is mapped to the principal.process.pid UDM field. |
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, actor.process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. Else, if process.uid log field value is not empty then, process.uid log field is mapped to the principal.process.product_specific_process_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.process.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is empty and if the actor.process.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.process.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.process.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.process.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
actor.user.domain |
principal.administrative_domain |
If the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.user.groups.name |
principal.group.group_display_name |
If the actor.user.groups.name log field value is not empty then, actor.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. Else, if actor.process.user.groups.name log field value is not empty then, actor.process.user.groups.name log field is mapped to the principal.group.group_display_name UDM field. |
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.user.groups.uid |
principal.user.group_identifiers |
If the actor.user.groups.uid log field value is not empty then, actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. Else, if actor.process.user.groups.uid log field value is not empty then, actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
actor.user.org.name |
principal.user.company_name |
If the actor.user.org.name log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.user.uid |
principal.user.product_object_id |
If the actor.user.uid log field value is not empty then, actor.user.uid log field is mapped to the principal.user.product_object_id UDM field. Else, if actor.process.user.uid log field value is not empty then, actor.process.user.uid log field is mapped to the principal.user.product_object_id UDM field. |
api.response.code |
network.http.response_code |
|
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. |
api.service.name |
target.application |
|
attacks.tactics.name |
security_result.attack_details.tactics.name |
|
attacks.tactics.uid |
security_result.attack_details.tactics.id |
|
attacks.technique.name |
security_result.attack_details.technique.name |
|
attacks.technique.uid |
security_result.attack_details.technique.id |
|
attacks.version |
security_result.attack_details.version |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
class_name |
metadata.log_type |
|
cloud.org.uid |
about.resource.product_object_id |
|
cloud.project_uid |
principal.resource.product_object_id |
|
cloud.provider |
about.resource.attribute.cloud.environment |
If the cloud.provider log field value matches the regular expression pattern AWS then, the about.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES. Else, if cloud.provider log field value matches the regular expression pattern MS Azure then, the about.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE. Else, if cloud.provider log field value matches the regular expression pattern GCP then, the about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
cloud.region |
about.location.name |
|
cloud.zone |
about.resource.attribute.cloud.availability_zone |
|
file.accessed_time |
target.file.last_seen_time |
|
file.created_time |
target.file.first_seen_time |
|
file.mime_type |
target.file.mime_type |
|
file.modified_time |
target.file.last_modification_time |
|
file.name |
target.file.names |
|
file.path |
target.file.full_path |
|
file.size |
target.file.size |
|
metadata.logged_time |
metadata.collected_timestamp |
|
metadata.product.name |
metadata.product_name |
|
metadata.uid |
metadata.product_log_id |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
metadata.product.version |
metadata.product_version |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
severity |
security_result.severity_details |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
src_endpoint.domain |
principal.domain.name |
|
src_endpoint.hostname |
principal.hostname |
|
src_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.ip |
principal.ip |
|
src_endpoint.location.city |
principal.location.city |
|
src_endpoint.location.coordinates |
principal.location.region_coordinates.longitude/latitude |
|
src_endpoint.location.country |
principal.location.country_or_region |
|
src_endpoint.location.region |
principal.location.name |
|
src_endpoint.mac |
principal.mac |
|
src_endpoint.port |
principal.port |
|
src_endpoint.svc_name |
principal.application |
|
src_endpoint.uid |
principal.asset_id |
|
time |
metadata.event_timestamp |
|
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then,. |
actor.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_manager_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_manager_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
Field mapping reference: OCSF API Activity
The following table lists the log fields for theAPI Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
actor.idp.name |
about.user.user_display_name |
|
actor.idp.uid |
about.user.userid |
|
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
dst_endpoint.intermediate_ips |
intermediary.ip |
|
src_endpoint.intermediate_ips |
intermediary.ip |
Iterate through log field src_endpoint.intermediate_ips, then src_endpoint.intermediate_ips log field is mapped to the intermediary.ip UDM field. |
metadata.logged_time |
metadata.collected_timestamp |
|
message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. Else, message log field is mapped to the metadata.description UDM field. |
api.response.message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. Else, message log field is mapped to the metadata.description UDM field. |
time |
metadata.event_timestamp |
|
activity_id |
metadata.event_type |
If the class_name log field value is equal to API Activity and if the activity_id log field value is equal to 1 then, the metadata.event_type UDM field is set to RESOURCE_CREATION. Else, if activity_id log field value is equal to 2 then, the metadata.event_type UDM field is set to RESOURCE_READ. Else, if activity_id log field value is equal to 3 then, the metadata.event_type UDM field is set to RESOURCE_WRITTEN. Else, if activity_id log field value is equal to 4 then, the metadata.event_type UDM field is set to RESOURCE_DELETION. Else, the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
class_name |
metadata.log_type |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
metadata.uid |
metadata.product_log_id |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
http_request.version |
network.application_protocol_version |
|
http_request.http_method |
network.http.method |
|
http_request.referrer |
network.http.referral_url |
|
api.response.code |
network.http.response_code |
|
http_request.user_agent |
network.http.user_agent |
|
actor.session.uid |
network.session_id |
If the class_name log field value contain one of the following values
session.uid log field value is empty then, actor.session.uid log field is mapped to the network.session_id UDM field. Else, actor.session.uid log field is mapped to the network.session_id UDM field.If the class_name log field value contain one of the following values
actor.session.uid log field value is empty then, actor.session.uuid log field is mapped to the network.session_id UDM field. Else, actor.process.session.uid log field is mapped to the network.session_id UDM field. |
actor.process.user.domain |
principal.administrative_domain |
|
actor.user.domain |
principal.administrative_domain |
If the class_name log field value is equal to API Activity and if the actor.user.domain log field value is not empty then, actor.user.domain log field is mapped to the principal.administrative_domain UDM field. Else, if actor.process.user.domain log field value is not empty then, actor.process.user.domain log field is mapped to the principal.administrative_domain UDM field. |
src_endpoint.svc_name |
principal.application |
If the class_name log field value contain one of the following values
src_endpoint.svc_name log field is mapped to the principal.application UDM field. |
src_endpoint.uid |
principal.asset_id |
If the class_name log field value contain one of the following values
ASSET ID: %{src_endpoint.uid} log field is mapped to the principal.asset_id UDM field. |
src_endpoint.domain |
principal.domain.name |
If the class_name log field value contain one of the following values
src_endpoint.domain log field is mapped to the principal.domain.name UDM field. |
actor.process.user.groups.privileges |
principal.group.attribute.permissions.name |
|
actor.user.groups.privileges |
principal.group.attribute.permissions.name |
If the actor.user.groups.privileges log field value is not empty then, actor.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if actor.process.user.groups.privileges log field value is not empty then, actor.process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.user.groups.privileges log field value is not empty then, process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. Else, if process.parent_process.user.groups.privileges log field value is not empty then, process.parent_process.user.groups.privileges log field is mapped to the principal.group.attribute.permissions.name UDM field. |
actor.process.user.groups.name |
principal.group.group_display_name |
|
actor.user.groups.name |
principal.group.group_display_name |
Iterate through log field actor.user.groups.array.name, thenif the index value is equal to 0 then, actor.user.groups.array.name log field is mapped to the principal.group.group_display_name UDM field.Iterate through log field actor.process.user.groups.array.name, thenif the index value is equal to 0 then, actor.process.user.groups.array.name log field is mapped to the principal.group.group_display_name UDM field. |
src_endpoint.hostname |
principal.hostname |
If the class_name log field value contain one of the following values
src_endpoint.hostname log field is mapped to the principal.hostname UDM field. |
http_request.x_forwarded_for |
principal.ip |
|
src_endpoint.ip |
principal.ip |
If the class_name log field value contain one of the following values
src_endpoint.ip log field is mapped to the principal.ip UDM field. |
src_endpoint.location.city |
principal.location.city |
If the class_name log field value contain one of the following values
src_endpoint.location.city log field is mapped to the principal.location.city UDM field. |
src_endpoint.location.country |
principal.location.country_or_region |
If the class_name log field value contain one of the following values
src_endpoint.location.country log field is mapped to the principal.location.country_or_region UDM field. |
src_endpoint.location.region |
principal.location.name |
If the class_name log field value contain one of the following values
src_endpoint.location.region log field is mapped to the principal.location.name UDM field. |
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
If the class_name log field value contain one of the following values
src_endpoint.location.coordinates.1 log field is mapped to the principal.location.region_coordinates.latitude UDM field. |
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
If the class_name log field value contain one of the following values
src_endpoint.location.coordinates.0 log field is mapped to the principal.location.region_coordinates.longitude UDM field. |
src_endpoint.mac |
principal.mac |
If the class_name log field value contain one of the following values
src_endpoint.mac log field is mapped to the principal.mac UDM field. |
src_endpoint.port |
principal.port |
If the class_name log field value contain one of the following values
src_endpoint.port log field is mapped to the principal.port UDM field. |
actor.process.cmd_line |
principal.process.command_line |
If the actor.process.cmd_line log field value is not empty then, actor.process.cmd_line log field is mapped to the principal.process.command_line UDM field. |
actor.process.file.created_time |
principal.process.file.first_seen_time |
|
actor.process.file.path |
principal.process.file.full_path |
|
actor.process.file.modified_time |
principal.process.file.last_modification_time |
|
actor.process.file.accessed_time |
principal.process.file.last_seen_time |
|
actor.process.file.hashes.value |
principal.process.file.md5 |
If the actor.process.file.hashes.algorithm_id log field value is equal to 1 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.md5 UDM field. |
actor.process.file.mime_type |
principal.process.file.mime_type |
|
actor.process.file.name |
principal.process.file.names |
|
actor.process.file.hashes.value |
principal.process.file.sha1 |
If the actor.process.file.hashes.algorithm_id log field value is equal to 2 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.sha1 UDM field. |
actor.process.file.hashes.value |
principal.process.file.sha256 |
If the actor.process.file.hashes.algorithm_id log field value is equal to 3 then, actor.process.file.hashes.value log field is mapped to the principal.process.file.sha256 UDM field. |
actor.process.file.size |
principal.process.file.size |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.cmd_line |
principal.process.parent_process.command_line |
|
actor.process.parent_process.file.created_time |
principal.process.parent_process.file.first_seen_time |
|
actor.process.parent_process.file.path |
principal.process.parent_process.file.full_path |
|
actor.process.parent_process.file.modified_time |
principal.process.parent_process.file.last_modification_time |
|
actor.process.parent_process.file.accessed_time |
principal.process.parent_process.file.last_seen_time |
|
actor.process.parent_process.file.mime_type |
principal.process.parent_process.file.mime_type |
|
actor.process.parent_process.file.name |
principal.process.parent_process.file.names |
|
actor.process.parent_process.file.size |
principal.process.parent_process.file.size |
|
actor.process.parent_process.pid |
principal.process.parent_process.pid |
|
actor.process.parent_process.uid |
principal.process.parent_process.product_specific_process_id |
If the actor.process.parent_process.uid log field value is not empty then, principal.process.product_specific_process_id => PRODUCT_SPECIFIC_PROCESS_ID: %actor.process.parent_process.uid. |
actor.process.pid |
principal.process.pid |
|
actor.process.uid |
principal.process.product_specific_process_id |
If the actor.process.uid log field value is not empty then, principal.process.product_specific_process_id => PRODUCT_SPECIFIC_PROCESS_ID: %actor.process.uid. |
actor.user.type_id |
principal.user.attribute.roles.name |
If the actor.user.type_id log field value is equal to 0 then, the principal.user.attribute.roles.name UDM field is set to Unknown. Else, if actor.user.type_id log field value is equal to 1 then, the principal.user.attribute.roles.name UDM field is set to User. Else, if actor.user.type_id log field value is equal to 2 then, the principal.user.attribute.roles.name UDM field is set to Admin. Else, if actor.user.type_id log field value is equal to 3 then, the principal.user.attribute.roles.name UDM field is set to System. Else, the principal.user.attribute.roles.name UDM field is set to Other. |
actor.process.user.org.name |
principal.user.company_name |
|
actor.user.org.name |
principal.user.company_name |
If the actor.user.or log field value is not empty then, actor.user.org.name log field is mapped to the principal.user.company_name UDM field. Else, if actor.process.user.org.name log field value is not empty then, actor.process.user.org.name log field is mapped to the principal.user.company_name UDM field. |
actor.process.user.org.ou_name |
principal.user.department |
|
actor.user.org.ou_name |
principal.user.department |
If the actor.user.org.ou_name log field value is not empty then, actor.user.org.ou_name log field is mapped to the principal.user.department UDM field. Else, if actor.process.user.org.ou_name log field value is not empty then, actor.process.user.org.ou_name log field is mapped to the principal.user.department UDM field. |
actor.process.user.email_addr |
principal.user.email_addresses |
|
actor.user.email_addr |
principal.user.email_addresses |
If the actor.user.email_addr log field value is not empty then, actor.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.email_addr log field value is not empty then, actor.process.user.email_addr log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.groups.uid |
principal.user.group_identifiers |
|
actor.user.groups.uid |
principal.user.group_identifiers |
Iterate through log field actor.user.groups.array.uid, then actor.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field.Iterate through log field actor.process.user.groups.uid, then actor.process.user.groups.uid log field is mapped to the principal.user.group_identifiers UDM field. |
actor.user.uid |
principal.user.product_object_id |
Else, if the user.uid log field value is not empty then, principal.user.product_object_id => %actor.user.uid else, if the actor.process.user.uid log field value is not empty then, principal.user.product_object_id => %actor.process.user.uid. |
actor.process.user.full_name |
principal.user.user_display_name |
|
actor.user.full_name |
principal.user.user_display_name |
If the actor.user.full_name log field value is not empty then, actor.user.full_name log field is mapped to the principal.user.user_display_name UDM field. Else, if actor.process.user.full_name log field value is not empty then, actor.process.user.full_name log field is mapped to the principal.user.user_display_name UDM field. |
actor.process.user.name |
principal.user.userid |
|
actor.user.name |
principal.user.userid |
If the actor.user.name log field value is not empty then, actor.user.name log field is mapped to the principal.user.userid UDM field. Else, if actor.process.user.name log field value is not empty then, actor.process.user.name log field is mapped to the principal.user.userid UDM field. |
status_id |
security_result.action |
If the status_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if status_id log field value is equal to 2 then, the security_result.action UDM field is set to FAIL. |
status |
security_result.action_details |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
enrichments.name |
security_result.detection_fields [enrichments_name] |
Iterate through log field enrichments.name, then enrichments.name log field is mapped to the security_result.detection_fields [enrichments_name] UDM field. |
enrichments.provider |
security_result.detection_fields [enrichments_provider] |
Iterate through log field enrichments.provider, then enrichments.provider log field is mapped to the security_result.detection_fields [enrichments_provider] UDM field. |
enrichments.type |
security_result.detection_fields [enrichments_type] |
Iterate through log field enrichments.type, then enrichments.type log field is mapped to the security_result.detection_fields [enrichments_type] UDM field. |
enrichments.value |
security_result.detection_fields [enrichments_value] |
Iterate through log field enrichments.value, then enrichments.value log field is mapped to the security_result.detection_fields [enrichments_value] UDM field. |
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
actor.process.file.security_descriptor |
security_result.detection_fields[actor_process_file_security_descriptor] |
|
http_request.url.categories [] |
security_result.detection_fields[url_categories] |
Iterate through log field http_request.url.categories, then http_request.url.categories log field is mapped to the security_result.detection_fields[url_categories] UDM field. |
status_detail |
security_result.detection_fields [status_detail] |
|
status_code |
security_result.detection_fields [status_code] |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
dst_endpoint.svc_name |
target.application |
If the class_name log field value contain one of the following values
class_name log field value is equal to Authentication and if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. Else, if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
api.service.name |
target.application |
If the class_name log field value contain one of the following values
class_name log field value is equal to Authentication and if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. Else, if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.uid |
target.asset_id |
If the class_name log field value contain one of the following values
ASSET ID: %{dst_endpoint.uid} log field is mapped to the target.asset_id UDM field. |
dst_endpoint.domain |
target.domain.name |
If the class_name log field value contain one of the following values
dst_endpoint.domain log field is mapped to the target.domain.name UDM field. |
dst_endpoint.hostname |
target.hostname |
If the class_name log field value contain one of the following values
dst_endpoint.hostname log field is mapped to the target.hostname UDM field. |
http_request.url.hostname |
target.hostname |
|
dst_endpoint.ip |
target.ip |
If the class_name log field value contain one of the following values
dst_endpoint.ip log field is mapped to the target.ip UDM field. |
dst_endpoint.location.city |
target.location.city |
If the class_name log field value contain one of the following values
dst_endpoint.location.city log field is mapped to the target.location.city UDM field. |
dst_endpoint.location.region |
target.location.name |
If the class_name log field value contain one of the following values
dst_endpoint.location.region log field is mapped to the target.location.name UDM field. |
dst_endpoint.location.country |
target.location.country_or_region |
If the class_name log field value contain one of the following values
dst_endpoint.location.country log field is mapped to the target.location.country_or_region UDM field. |
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
If the class_name log field value contain one of the following values
dst_endpoint.location.coordinates.1 log field is mapped to the target.location.region_coordinates.latitude UDM field. |
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
If the class_name log field value contain one of the following values
dst_endpoint.location.coordinates.0 log field is mapped to the target.location.region_coordinates.longitude UDM field. |
dst_endpoint.mac |
target.mac |
If the class_name log field value contain one of the following values
dst_endpoint.mac log field is mapped to the target.mac UDM field. |
dst_endpoint.port |
target.port |
If the class_name log field value contain one of the following values
dst_endpoint.port log field is mapped to the target.port UDM field. |
http_request.url.port |
target.port |
|
resources.name |
target.resource.name |
Iterate through log field resources.name, thenif the index value is equal to 0 then, resources.name log field is mapped to the target.resource.name UDM field. |
resources.uid |
target.resource.product_object_id |
Iterate through log field resources.uid, thenif the index value is equal to 0 then, resources.uid log field is mapped to the target.resource.product_object_id UDM field. |
resources.type |
target.resource.resource_subtype |
Iterate through log field resources.type, thenif the index value is equal to 0 then, resources.type log field is mapped to the target.resource.resource_subtype UDM field. |
http_request.url.url_string |
target.url |
|
class_uid |
security_result.detection_fields [class_uid] |
|
actor.process.session.uid_alt |
additional.fields[actor_process_session_uid_alt] |
|
actor.process.session.count |
additional.fields[actor_process_session_count] |
|
actor.process.session.expiration_reason |
additional.fields[actor_process_session_expiration_reason] |
|
actor.process.session.is_mfa |
additional.fields[actor_process_session_is_mfa] |
|
actor.process.session.terminal |
additional.fields[actor_process_session_terminal] |
|
actor.process.session.is_vpn |
additional.fields[actor_process_session_is_vpn] |
|
actor.session.uid_alt |
additional.fields[actor_session_uid_alt] |
|
actor.session.count |
additional.fields[actor_session_count] |
|
actor.session.expiration_reason |
additional.fields[actor_session_expiration_reason] |
|
actor.session.is_mfa |
additional.fields[actor_session_is_mfa] |
|
actor.session.terminal |
additional.fields[actor_session_terminal] |
|
actor.session.is_vpn |
additional.fields[actor_session_is_vpn] |
|
actor.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. Else, if actor.process.user.ldap_person.cost_center log field value then, actor.process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.process.user.ldap_person.cost_center |
principal.user.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.cost_center log field value is not empty then, actor.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. Else, if actor.process.user.ldap_person.cost_center log field value then, actor.process.user.ldap_person.cost_center log field is mapped to the principal.user.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. Else, if actor.process.user.ldap_person.created_time log field value then, actor.process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.process.user.ldap_person.created_time |
principal.user.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.created_time log field value is not empty then, actor.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. Else, if actor.process.user.ldap_person.created_time log field value then, actor.process.user.ldap_person.created_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. Else, if actor.process.user.ldap_person.deleted_time log field value then, actor.process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.process.user.ldap_person.deleted_time |
principal.user.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.deleted_time log field value is not empty then, actor.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. Else, if actor.process.user.ldap_person.deleted_time log field value then, actor.process.user.ldap_person.deleted_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.ldap_person.email_addrs log field value then, actor.process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.process.user.ldap_person.email_addrs |
principal.user.email_addresses |
If the actor.user.ldap_person.email_addrs log field value is not empty then, actor.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. Else, if actor.process.user.ldap_person.email_addrs log field value then, actor.process.user.ldap_person.email_addrs log field is mapped to the principal.user.email_addresses UDM field. |
actor.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then, Else, if actor.process.user.ldap_person.employee_uid log field value then,. |
actor.process.user.ldap_person.employee_uid |
principal.user.employee_uid |
If the actor.user.ldap_person.employee_uid log field value is not empty then, Else, if actor.process.user.ldap_person.employee_uid log field value then,. |
actor.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. Else, if actor.process.user.ldap_person.location log field value then, actor.process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.process.user.ldap_person.location |
principal.user.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.location log field value is not empty then, actor.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. Else, if actor.process.user.ldap_person.location log field value then, actor.process.user.ldap_person.location log field is mapped to the principal.user.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.process.user.ldap_person.given_name log field value then, actor.process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.process.user.ldap_person.given_name |
principal.user.first_name |
If the actor.user.ldap_person.given_name log field value is not empty then, actor.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. Else, if actor.process.user.ldap_person.given_name log field value then, actor.process.user.ldap_person.given_name log field is mapped to the principal.user.first_name UDM field. |
actor.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.process.user.ldap_person.hire_time log field value then, actor.process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.process.user.ldap_person.hire_time |
principal.user.hire_date |
If the actor.user.ldap_person.hire_time log field value is not empty then, actor.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. Else, if actor.process.user.ldap_person.hire_time log field value then, actor.process.user.ldap_person.hire_time log field is mapped to the principal.user.hire_date UDM field. |
actor.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.process.user.ldap_person.job_title log field value then, actor.process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.process.user.ldap_person.job_title |
principal.user.title |
If the actor.user.ldap_person.job_title log field value is not empty then, actor.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. Else, if actor.process.user.ldap_person.job_title log field value then, actor.process.user.ldap_person.job_title log field is mapped to the principal.user.title UDM field. |
actor.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. Else, if actor.process.user.ldap_person.ldap_cn log field value then, actor.process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.process.user.ldap_person.ldap_cn |
principal.user.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.ldap_cn log field value is not empty then, actor.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. Else, if actor.process.user.ldap_person.ldap_cn log field value then, actor.process.user.ldap_person.ldap_cn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. Else, if actor.process.user.ldap_person.ldap_dn log field value then, actor.process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.process.user.ldap_person.ldap_dn |
principal.user.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.ldap_dn log field value is not empty then, actor.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. Else, if actor.process.user.ldap_person.ldap_dn log field value then, actor.process.user.ldap_person.ldap_dn log field is mapped to the principal.user.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. Else, if actor.process.user.ldap_person.labels log field value then, actor.process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.process.user.ldap_person.labels |
principal.user.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.labels log field value is not empty then, actor.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. Else, if actor.process.user.ldap_person.labels log field value then, actor.process.user.ldap_person.labels log field is mapped to the principal.user.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.process.user.ldap_person.last_login_time log field value then, actor.process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.process.user.ldap_person.last_login_time |
principal.user.last_login_time |
If the actor.user.ldap_person.last_login_time log field value is not empty then, actor.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. Else, if actor.process.user.ldap_person.last_login_time log field value then, actor.process.user.ldap_person.last_login_time log field is mapped to the principal.user.last_login_time UDM field. |
actor.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. Else, if actor.process.user.ldap_person.leave_time log field value then, actor.process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.process.user.ldap_person.leave_time |
principal.user.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.leave_time log field value is not empty then, actor.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. Else, if actor.process.user.ldap_person.leave_time log field value then, actor.process.user.ldap_person.leave_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. Else, if actor.process.user.ldap_person.modified_time log field value then, actor.process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.process.user.ldap_person.modified_time |
principal.user.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.modified_time log field value is not empty then, actor.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. Else, if actor.process.user.ldap_person.modified_time log field value then, actor.process.user.ldap_person.modified_time log field is mapped to the principal.user.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.process.user.ldap_person.office_location log field value then, actor.process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.process.user.ldap_person.office_location |
principal.user.office_address.name |
If the actor.user.ldap_person.office_location log field value is not empty then, actor.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. Else, if actor.process.user.ldap_person.office_location log field value then, actor.process.user.ldap_person.office_location log field is mapped to the principal.user.office_address.name UDM field. |
actor.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.process.user.ldap_person.surname log field value then, actor.process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.process.user.ldap_person.surname |
principal.user.last_name |
If the actor.user.ldap_person.surname log field value is not empty then, actor.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. Else, if actor.process.user.ldap_person.surname log field value then, actor.process.user.ldap_person.surname log field is mapped to the principal.user.last_name UDM field. |
actor.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field.Else, if actor.process.user.ldap_person.manager.cost_center log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.process.user.ldap_person.manager.cost_center |
principal.user.managers.attribute.labels[user_ldap_person_cost_center] |
If the actor.user.ldap_person.manager.cost_center log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field.Else, if actor.process.user.ldap_person.manager.cost_center log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.cost_center log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_cost_center] UDM field. |
actor.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field.Else, if actor.process.user.ldap_person.manager.created_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.process.user.ldap_person.manager.created_time |
principal.user.managers.attribute.labels[user_ldap_person_created_time] |
If the actor.user.ldap_person.manager.created_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field.Else, if actor.process.user.ldap_person.manager.created_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.created_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_created_time] UDM field. |
actor.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field.Else, if actor.process.user.ldap_person.manager.deleted_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.process.user.ldap_person.manager.deleted_time |
principal.user.managers.attribute.labels[user_ldap_person_deleted_time] |
If the actor.user.ldap_person.manager.deleted_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field.Else, if actor.process.user.ldap_person.manager.deleted_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.deleted_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_deleted_time] UDM field. |
actor.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field.Else, if actor.process.user.ldap_person.manager.email_addrs log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.process.user.ldap_person.manager.email_addrs |
principal.user.managers.email_addresses |
If the actor.user.ldap_person.manager.email_addrs log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field.Else, if actor.process.user.ldap_person.manager.email_addrs log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.email_addrs log field is mapped to the principal.user.managers.email_addresses UDM field. |
actor.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field.Else, if actor.process.user.ldap_person.manager.employee_uid log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.process.user.ldap_person.manager.employee_uid |
principal.user.managers.employee_uid |
If the actor.user.ldap_person.manager.employee_uid log field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field.Else, if actor.process.user.ldap_person.manager.employee_uid log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.employee_uid log field is mapped to the principal.user.managers.employee_uid UDM field. |
actor.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field.Else, if actor.process.user.ldap_person.manager.location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.process.user.ldap_person.manager.location |
principal.user.managers.attribute.labels[user_ldap_person_location] |
If the actor.user.ldap_person.manager.location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field.Else, if actor.process.user.ldap_person.manager.location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.location log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_location] UDM field. |
actor.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field.Else, if actor.process.user.ldap_person.manager.given_name log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.process.user.ldap_person.manager.given_name |
principal.user.managers.first_name |
If the actor.user.ldap_person.manager.given_name log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field.Else, if actor.process.user.ldap_person.manager.given_name log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.given_name log field is mapped to the principal.user.managers.first_name UDM field. |
actor.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field.Else, if actor.process.user.ldap_person.manager.hire_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.process.user.ldap_person.manager.hire_time |
principal.user.managers.hire_date |
If the actor.user.ldap_person.manager.hire_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field.Else, if actor.process.user.ldap_person.manager.hire_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.hire_time log field is mapped to the principal.user.managers.hire_date UDM field. |
actor.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field.Else, if actor.process.user.ldap_person.manager.job_title log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.process.user.ldap_person.manager.job_title |
principal.user.managers.title |
If the actor.user.ldap_person.manager.job_title log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field.Else, if actor.process.user.ldap_person.manager.job_title log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.job_title log field is mapped to the principal.user.managers.title UDM field. |
actor.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.process.user.ldap_person.manager.ldap_cn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] |
If the actor.user.ldap_person.manager.ldap_cn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_cn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] UDM field. |
actor.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.process.user.ldap_person.manager.ldap_dn |
principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] |
If the actor.user.ldap_person.manager.ldap_dn log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dn log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.ldap_dn log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] UDM field. |
actor.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field.Else, if actor.process.user.ldap_person.manager.labels log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.process.user.ldap_person.manager.labels |
principal.user.managers.attribute.labels[user_ldap_person_labels] |
If the actor.user.ldap_person.manager.labels log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field.Else, if actor.process.user.ldap_person.manager.labels log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.labels log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_labels] UDM field. |
actor.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.process.user.ldap_person.manager.last_login_timelast_login_time |
principal.user.managers.last_login_time |
If the actor.user.ldap_person.manager.last_login_timelast_login_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.last_login_timelast_login_time log field is mapped to the principal.user.managers.last_login_time UDM field. |
actor.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field.Else, if actor.process.user.ldap_person.manager.leave_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.process.user.ldap_person.manager.leave_time |
principal.user.managers.attribute.labels[user_ldap_person_leave_time] |
If the actor.user.ldap_person.manager.leave_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field.Else, if actor.process.user.ldap_person.manager.leave_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.leave_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_leave_time] UDM field. |
actor.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field.Else, if actor.process.user.ldap_person.manager.modified_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then %{actor.process.user.ldap_person.manager.modified_time} log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.process.user.ldap_person.manager.modified_time |
principal.user.managers.attribute.labels[user_ldap_person_modified_time] |
If the actor.user.ldap_person.manager.modified_time log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.modified_time log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field.Else, if actor.process.user.ldap_person.manager.modified_time log field value then,iterate through log field actor.process.user.ldap_person.manager, then %{actor.process.user.ldap_person.manager.modified_time} log field is mapped to the principal.user.managers.attribute.labels[user_ldap_person_modified_time] UDM field. |
actor.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.process.user.ldap_person.manager.office_locationoffice_location |
principal.user.managers.office_address.name |
If the actor.user.ldap_person.manager.office_locationoffice_location log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_location log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.office_locationoffice_location log field is mapped to the principal.user.managers.office_address.name UDM field. |
actor.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field.Else, if actor.process.user.ldap_person.manager.surname log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.process.user.ldap_person.manager.surname |
principal.user.managers.last_name |
If the actor.user.ldap_person.manager.surname log field value is not empty then,iterate through log field actor.user.ldap_person.manager, then actor.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field.Else, if actor.process.user.ldap_person.manager.surname log field value then,iterate through log field actor.process.user.ldap_person.manager, then actor.process.user.ldap_person.manager.surname log field is mapped to the principal.user.managers.last_name UDM field. |
actor.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.process.user.ldap_person.groups.domain log field value then,iterate through log field actor.user.ldap_person.groups, then actor.process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
actor.process.user.groups.domain |
principal.user.group_identifiers |
If the actor.user.ldap_person.groups.domain log field value is not empty then,iterate through log field actor.user.ldap_person.groups, then actor.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field.Else, if actor.process.user.ldap_person.groups.domain log field value then,iterate through log field actor.user.ldap_person.groups, then actor.process.user.groups.domain log field is mapped to the principal.user.group_identifiers UDM field. |
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
http_request.length |
additional.fields[http_request_length] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
api.response.data |
additional.fields[api_response_data] |
|
api.response.containers.name |
about.resource.name |
Iterate through log field api.response.containers, then api.response.containers.name log field is mapped to the about.resource.name UDM field. |
api.response.containers.uid |
about.resource.product_object_id |
Iterate through log field api.response.containers, then api.response.containers.uid log field is mapped to the about.resource.product_object_id UDM field. |
api.response.containers.hash.algorithm |
about.resource.attribute.labels[api_response_containers_hash_algorithm] |
Iterate through log field api.response.containers, then api.response.containers.hash.algorithm log field is mapped to the about.resource.attribute.labels[api_response_containers_hash_algorithm] UDM field. |
api.response.containers.hash.algorithm_id |
about.resource.attribute.labels[api_response_containers_hash_algorithm_id] |
Iterate through log field api.response.containers, then api.response.containers.hash.algorithm_id log field is mapped to the about.resource.attribute.labels[api_response_containers_hash_algorithm_id] UDM field. |
api.response.containers.hash.value |
about.resource.attribute.labels[api_response_containers_hash_value] |
Iterate through log field api.response.containers, then api.response.containers.hash.value log field is mapped to the about.resource.attribute.labels[api_response_containers_hash_value] UDM field. |
api.response.containers.image.tag |
about.resource.attribute.labels[api_response_containers_image_tag] |
Iterate through log field api.response.containers, then api.response.containers.image.tag log field is mapped to the about.resource.attribute.labels[api_response_containers_image_tag] UDM field. |
api.response.containers.image.labels |
about.resource.attribute.labels[api_response_containers_image_labels] |
Iterate through log field api.response.containers, then api.response.containers.image.labels log field is mapped to the about.resource.attribute.labels[api_response_containers_image_labels] UDM field. |
api.response.containers.image.name |
about.resource.attribute.labels[api_response_containers_image_name] |
Iterate through log field api.response.containers, then api.response.containers.image.name log field is mapped to the about.resource.attribute.labels[api_response_containers_image_name] UDM field. |
api.response.containers.image.path |
about.resource.attribute.labels[api_response_containers_image_path] |
Iterate through log field api.response.containers, then api.response.containers.image.path log field is mapped to the about.resource.attribute.labels[api_response_containers_image_path] UDM field. |
api.response.containers.image.uid |
about.resource.attribute.labels[api_response_containers_image_uid] |
Iterate through log field api.response.containers, then api.response.containers.image.uid log field is mapped to the about.resource.attribute.labels[api_response_containers_image_uid] UDM field. |
api.response.containers.tag |
about.resource.attribute.labels[api_response_containers_tag] |
Iterate through log field api.response.containers, then api.response.containers.tag log field is mapped to the about.resource.attribute.labels[api_response_containers_tag] UDM field. |
api.response.containers.network_driver |
about.resource.attribute.labels[api_response_containers_network_driver] |
Iterate through log field api.response.containers, then api.response.containers.network_driver log field is mapped to the about.resource.attribute.labels[api_response_containers_network_driver] UDM field. |
api.response.containers.orchestrator |
about.resource.attribute.labels[api_response_containers_orchestrator] |
Iterate through log field api.response.containers, then api.response.containers.orchestrator log field is mapped to the about.resource.attribute.labels[api_response_containers_orchestrator] UDM field. |
api.response.containers.pod_uuid |
about.resource.attribute.labels[api_response_containers_pod_uuid] |
Iterate through log field api.response.containers, then api.response.containers.pod_uuid log field is mapped to the about.resource.attribute.labels[api_response_containers_pod_uuid] UDM field. |
api.response.containers.runtime |
about.resource.attribute.labels[api_response_containers_runtime] |
Iterate through log field api.response.containers, then api.response.containers.runtime log field is mapped to the about.resource.attribute.labels[api_response_containers_runtime] UDM field. |
api.response.containers.size |
about.resource.attribute.labels[api_response_containers_size] |
Iterate through log field api.response.containers, then api.response.containers.size log field is mapped to the about.resource.attribute.labels[api_response_containers_size] UDM field. |
resources.namespace |
target.resource.attribute.labels[resources_namespace] |
Iterate through log field resources, then resources.namespace log field is mapped to the target.resource.attribute.labels[resources_namespace] UDM field. |
Field mapping reference: OCSF DNS Activity
The following table lists the log fields for theDNS Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
metadata.logged_time |
metadata.collected_timestamp |
|
message |
metadata.description |
If the message log field value is empty then, api.response.message log field is mapped to the metadata.description UDM field. Else, message log field is mapped to the metadata.description UDM field. |
time |
metadata.event_timestamp |
|
activity_id |
metadata.event_type |
If the class_name log field value is equal to DNS Activity then, the metadata.event_type UDM field is set to NETWORK_DNS. |
class_name |
metadata.log_type |
|
activity_name |
metadata.product_event_type |
%{activity_id} - %{activity_name} log field is mapped to the metadata.product_event_type UDM field. |
metadata.uid |
metadata.product_log_id |
|
metadata.product.name |
metadata.product_name |
|
metadata.product.version |
metadata.product_version |
|
metadata.product.vendor_name |
metadata.vendor_name |
|
|
network.application_protocol |
If the class_name log field value is equal to DNS Activity then, the network.application_protocol UDM field is set to DNS. |
connection_info.protocol_ver_id |
network.application_protocol_version |
If the connection_info.protocol_ver_id log field value is equal to 4 then, the network.application_protocol_version UDM field is set to Internet Protocol version 4 (IPv4). Else, if the connection_info.protocol_ver_id log field value is equal to 6 then, the network.application_protocol_version UDM field is set to Internet Protocol version 6 (IPv6). |
connection_info.direction_id |
network.direction |
If the connection_info.direction_id log field value is equal to 1 then, the network.direction UDM field is set to INBOUND. Else, if connection_info.direction_id log field value is equal to 2 then, the network.direction UDM field is set to OUTBOUND. |
answers.class |
network.dns.answers.class |
Iterate through log field answers.class, thenif the answers.class log field value is equal to IN then, Else, if answers.class log field value is equal to CS then, Else, if answers.class log field value is equal to CH then, Else, if answers.class log field value is equal to HS then,. |
answers.rdata |
network.dns.answers.data |
Iterate through log field answers.rdata, then answers.rdata log field is mapped to the network.dns.answers.data UDM field. |
answers.ttl |
network.dns.answers.ttl |
Iterate through log field answers.ttl, then answers.ttl log field is mapped to the network.dns.answers.ttl UDM field. |
answers.type |
network.dns.answers.type |
|
answers.flag_ids |
network.dns.authoritative |
Iterate through log field answers.flag_ids, thenif the answers.flag_ids log field value is equal to 1 then, the network.dns.authoritative UDM field is set to true. |
answers.flag_ids |
network.dns.recursion_available |
Iterate through log field answers.flag_ids, thenif the answers.flag_ids log field value is equal to 4 then, the network.dns.recursion_available UDM field is set to true. |
answers.flag_ids |
network.dns.recursion_desired |
Iterate through log field answers.flag_id, thenif the answers.flag_ids log field value is equal to 3 then, the network.dns.recursion_desired UDM field is set to true. |
answers.flag_ids |
network.dns.truncated |
Iterate through log field answers.flag_ids, thenif the answers.flag_ids log field value is equal to 2 then, the network.dns.truncated UDM field is set to true. |
query.opcode_id |
network.dns.opcode |
|
query.class |
network.dns.questions.class |
If the query.class log field value is equal to IN then, Else, if query.class log field value is equal to CS then, Else, if query.class log field value is equal to CH then, Else, if query.class log field value is equal to HS then,. |
query.hostname |
network.dns.questions.name |
|
query.type |
network.dns.questions.type |
|
rcode_id |
network.dns.response_code |
|
connection_info.protocol_num |
network.ip_protocol |
If the connection_info.protocol_num log field value is equal to 1 then, the network.ip_protocol UDM field is set to ICMP. Else, if connection_info.protocol_num log field value is equal to 2 then, the network.ip_protocol UDM field is set to IGMP. Else, if connection_info.protocol_num log field value is equal to 6 then, the network.ip_protocol UDM field is set to TCP. Else, if connection_info.protocol_num log field value is equal to 17 then, the network.ip_protocol UDM field is set to UDP. Else, if connection_info.protocol_num log field value is equal to 41 then, the network.ip_protocol UDM field is set to IP6IN4. Else, if connection_info.protocol_num log field value is equal to 47 then, the network.ip_protocol UDM field is set to GRE. Else, if connection_info.protocol_num log field value is equal to 50 then, the network.ip_protocol UDM field is set to ESP. Else, if connection_info.protocol_num log field value is equal to 58 then, the network.ip_protocol UDM field is set to ICMP6. Else, if connection_info.protocol_num log field value is equal to 88 then, the network.ip_protocol UDM field is set to EIGRP. Else, if connection_info.protocol_num log field value is equal to 97 then, the network.ip_protocol UDM field is set to ETHERIP. Else, if connection_info.protocol_num log field value is equal to 103 then, the network.ip_protocol UDM field is set to PIM. Else, if connection_info.protocol_num log field value is equal to 112 then, the network.ip_protocol UDM field is set to VRRP. Else, if connection_info.protocol_num log field value is equal to 132 then, the network.ip_protocol UDM field is set to SCTP. |
traffic.bytes_in |
network.received_bytes |
|
traffic.packets_in |
network.received_packets |
|
traffic.bytes_out |
network.sent_bytes |
|
traffic.packets_out |
network.sent_packets |
|
tls.cipher |
network.tls.cipher |
|
tls.certificate.issuer |
network.tls.client.certificate.issuer |
|
tls.certificate.expiration_time |
network.tls.client.certificate.not_after |
|
tls.certificate.created_time |
network.tls.client.certificate.not_before |
|
tls.certificate.serial_number |
network.tls.client.certificate.serial |
|
tls.certificate.subject |
network.tls.client.certificate.subject |
|
tls.certificate.version |
network.tls.client.certificate.version |
|
tls.certificate.fingerprints.value |
network.tls.client.certificate.sha256 |
Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_id log field value is equal to 3 then, tls.certificate.fingerprints.value log field is mapped to the network.tls.client.certificate.sha256 UDM field. |
tls.certificate.fingerprints.value |
network.tls.client.certificate.sha1 |
Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_id log field value is equal to 2 then, tls.certificate.fingerprints.value log field is mapped to the network.tls.client.certificate.sha1 UDM field. |
tls.certificate.fingerprints.value |
network.tls.client.certificate.md5 |
Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_id log field value is equal to 1 then, tls.certificate.fingerprints.value log field is mapped to the network.tls.client.certificate.md5 UDM field. |
tls.ja3_hash.value |
network.tls.client.ja3 |
|
tls.ja3s_hash.value |
network.tls.server.ja3s |
|
tls.sni |
network.tls.client.server_name |
|
tls.client_ciphers |
network.tls.client.supported_ciphers |
|
tls.version |
network.tls.version_protocol |
|
src_endpoint.svc_name |
principal.application |
If the class_name log field value contain one of the following values
src_endpoint.svc_name log field is mapped to the principal.application UDM field. |
src_endpoint.uid |
principal.asset_id |
If the class_name log field value contain one of the following values
ASSET ID: %{src_endpoint.uid} log field is mapped to the principal.asset_id UDM field. |
src_endpoint.domain |
principal.domain.name |
If the class_name log field value contain one of the following values
src_endpoint.domain log field is mapped to the principal.domain.name UDM field. |
src_endpoint.hostname |
principal.hostname |
If the class_name log field value contain one of the following values
src_endpoint.hostname log field is mapped to the principal.hostname UDM field. |
src_endpoint.ip |
principal.ip |
If the class_name log field value contain one of the following values
src_endpoint.ip log field is mapped to the principal.ip UDM field. |
src_endpoint.location.city |
principal.location.city |
If the class_name log field value contain one of the following values
src_endpoint.location.city log field is mapped to the principal.location.city UDM field. |
src_endpoint.location.country |
principal.location.country_or_region |
If the class_name log field value contain one of the following values
src_endpoint.location.country log field is mapped to the principal.location.country_or_region UDM field. |
src_endpoint.location.region |
principal.location.name |
If the class_name log field value contain one of the following values
src_endpoint.location.region log field is mapped to the principal.location.name UDM field. |
src_endpoint.location.coordinates.1 |
principal.location.region_coordinates.latitude |
If the class_name log field value contain one of the following values
src_endpoint.location.coordinates.1 log field is mapped to the principal.location.region_coordinates.latitude UDM field. |
src_endpoint.location.coordinates.0 |
principal.location.region_coordinates.longitude |
If the class_name log field value contain one of the following values
src_endpoint.location.coordinates.0 log field is mapped to the principal.location.region_coordinates.longitude UDM field. |
src_endpoint.mac |
principal.mac |
If the class_name log field value contain one of the following values
src_endpoint.mac log field is mapped to the principal.mac UDM field. |
src_endpoint.port |
principal.port |
If the class_name log field value contain one of the following values
src_endpoint.port log field is mapped to the principal.port UDM field. |
proxy.svc_name |
intermediary.application |
|
proxy.uid |
intermediary.asset_id |
|
proxy.domain |
intermediary.domain.name |
|
proxy.hostname |
intermediary.hostname |
|
dst_endpoint.intermediate_ips |
intermediary.ip |
|
proxy.intermediate_ips |
intermediary.ip |
|
proxy.ip |
intermediary.ip |
|
src_endpoint.intermediate_ips |
intermediary.ip |
Iterate through log field src_endpoint.intermediate_ips, then src_endpoint.intermediate_ips log field is mapped to the intermediary.ip UDM field. |
proxy.location.city |
intermediary.location.city |
|
proxy.location.country |
intermediary.location.country_or_region |
|
proxy.location.region |
intermediary.location.name |
|
proxy.location.coordinates.1 |
intermediary.location.region_coordinates.latitude |
|
proxy.port |
intermediary.port |
|
proxy.location.coordinates.0 |
intermediary.location.region_coordinates.longitude |
|
proxy.mac |
intermediary.mac |
|
dst_endpoint.svc_name |
target.application |
If the class_name log field value contain one of the following values
class_name log field value is equal to Authentication and if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if service.name log field value is not empty then, %{service.name} log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then, %{api.service.name} log field is mapped to the target.application UDM field. Else, if the dst_endpoint.svc_name log field value is not empty then, dst_endpoint.svc_name log field is mapped to the target.application UDM field. Else, if pi.sservice.name log field value is not empty then,%{api.service.name} log field is mapped to the target.application UDM field. |
dst_endpoint.uid |
target.asset_id |
If the class_name log field value contain one of the following values
ASSET ID: %{dst_endpoint.uid} log field is mapped to the target.asset_id UDM field. |
dst_endpoint.domain |
target.domain.name |
If the class_name log field value contain one of the following values
dst_endpoint.domain log field is mapped to the target.domain.name UDM field. |
dst_endpoint.hostname |
target.hostname |
If the class_name log field value contain one of the following values
dst_endpoint.hostname log field is mapped to the target.hostname UDM field. |
dst_endpoint.ip |
target.ip |
If the class_name log field value contain one of the following values
dst_endpoint.ip log field is mapped to the target.ip UDM field. |
dst_endpoint.location.city |
target.location.city |
If the class_name log field value contain one of the following values
dst_endpoint.location.city log field is mapped to the target.location.city UDM field. |
dst_endpoint.location.country |
target.location.country_or_region |
If the class_name log field value contain one of the following values
dst_endpoint.location.country log field is mapped to the target.location.country_or_region UDM field. |
dst_endpoint.location.region |
target.location.name |
If the class_name log field value contain one of the following values
dst_endpoint.location.region log field is mapped to the target.location.name UDM field. |
dst_endpoint.location.coordinates.1 |
target.location.region_coordinates.latitude |
If the class_name log field value contain one of the following values
dst_endpoint.location.coordinates.1 log field is mapped to the target.location.region_coordinates.latitude UDM field. |
dst_endpoint.location.coordinates.0 |
target.location.region_coordinates.longitude |
If the class_name log field value contain one of the following values
dst_endpoint.location.coordinates.0 log field is mapped to the target.location.region_coordinates.longitude UDM field. |
dst_endpoint.mac |
target.mac |
If the class_name log field value contain one of the following values
dst_endpoint.mac log field is mapped to the target.mac UDM field. |
dst_endpoint.port |
target.port |
If the class_name log field value contain one of the following values
dst_endpoint.port log field is mapped to the target.port UDM field. |
status_id |
security_result.action |
If the status_id log field value is equal to 1 then, the security_result.action UDM field is set to ALLOW. Else, if status_id log field value is equal to 2 then, the security_result.action UDM field is set to FAIL. |
status |
security_result.action_details |
|
category_name |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
category_uid |
security_result.category_details |
%{category_uid} - %{category_name} log field is mapped to the security_result.category_details UDM field. |
enrichments.name |
security_result.detection_fields [enrichments_name] |
Iterate through log field enrichments.name, then enrichments.name log field is mapped to the security_result.detection_fields [enrichments_name] UDM field. |
enrichments.provider |
security_result.detection_fields [enrichments_provider] |
Iterate through log field enrichments.provider, then enrichments.provider log field is mapped to the security_result.detection_fields [enrichments_provider] UDM field. |
enrichments.type |
security_result.detection_fields [enrichments_type] |
Iterate through log field enrichments.type, then enrichments.type log field is mapped to the security_result.detection_fields [enrichments_type] UDM field. |
enrichments.value |
security_result.detection_fields [enrichments_value] |
Iterate through log field enrichments.value, then enrichments.value log field is mapped to the security_result.detection_fields [enrichments_value] UDM field. |
type_name |
security_result.detection_fields [type_name] |
|
type_uid |
security_result.detection_fields [type_uid] |
|
start_time |
security_result.detection_fields [start_time] |
|
class_uid |
security_result.detection_fields [class_uid] |
|
rcode |
security_result.detection_fields [rcode] |
|
response_time |
security_result.detection_fields [response_time] |
|
status_detail |
security_result.detection_fields [status_detail] |
|
status_code |
security_result.detection_fields [status_code] |
|
severity_id |
security_result.severity |
If the severity_id log field value is equal to 1 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if severity_id log field value is equal to 2 then, the security_result.severity UDM field is set to LOW. Else, if severity_id log field value is equal to 3 then, the security_result.severity UDM field is set to MEDIUM. Else, if severity_id log field value is equal to 4 then, the security_result.severity UDM field is set to HIGH. Else, if severity_id log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
observables.value |
observer.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.file.vhash |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.hostname |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.ip |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.mac |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.process.file.names |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.resource.product_object_id |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.url |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.email_addresses |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
observables.value |
observer.user.userid |
Iterate through log field observables.value, thenif the index value is equal to 0 and if the observables.type_id log field value is equal to 1 then, observables.value log field is mapped to the observer.hostname UDM field. Else, if observables.type_id log field value is equal to 2 then, observables.value log field is mapped to the observer.ip UDM field. Else, if observables.type_id log field value is equal to 3 then, observables.value log field is mapped to the observer.mac UDM field. Else, if observables.type_id log field value is equal to 4 then, observables.value log field is mapped to the observer.user.userid UDM field. Else, if observables.type_id log field value is equal to 5 then, observables.value log field is mapped to the observer.user.email_addresses UDM field. Else, if observables.type_id log field value is equal to 6 then, observables.value log field is mapped to the observer.url UDM field. Else, if observables.type_id log field value is equal to 7 then, observables.value log field is mapped to the observer.file.names UDM field. Else, if observables.type_id log field value is equal to 8 then, observables.value log field is mapped to the observer.file.vhash UDM field. Else, if observables.type_id log field value is equal to 9 then, observables.value log field is mapped to the observer.process.file.names UDM field. Else, if observables.type_id log field value is equal to 10 then, observables.value log field is mapped to the observer.resource.product_object_id UDM field. |
connection_info.session.uid_alt |
additional.fields[connection_info_session_uid_alt] |
|
connection_info.session.count |
additional.fields[connection_info_session_count] |
|
connection_info.session.expiration_reason |
additional.fields[connection_info_session_expiration_reason] |
|
connection_info.session.is_mfa |
additional.fields[connection_info_session_is_mfa] |
|
connection_info.session.terminal |
additional.fields[connection_info_session_terminal] |
|
connection_info.session.is_vpn |
additional.fields[connection_info_session_is_vpn] |
|
dst_endpoint.hw_info.bios_date |
target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] |
|
dst_endpoint.hw_info.bios_manufacturer |
target.asset.hardware.manufacturer |
|
dst_endpoint.hw_info.bios_ver |
target.asset.hardware.model |
|
dst_endpoint.hw_info.cpu_bits |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.hw_info.cpu_cores |
target.asset.hardware.cpu_number_cores |
|
dst_endpoint.hw_info.cpu_count |
target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] |
|
dst_endpoint.hw_info.chassis |
target.asset.attribute.labels[dst_endpoint_hw_info_chassis] |
|
dst_endpoint.hw_info.desktop_display.color_depth |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.hw_info.desktop_display.physical_height |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.hw_info.desktop_display.physical_orientation |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.hw_info.desktop_display.physical_width |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.hw_info.desktop_display.scale_factor |
target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.hw_info.keyboard_info.function_keys |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.hw_info.keyboard_info.ime |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_layout |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_subtype |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.hw_info.keyboard_info.keyboard_type |
target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.hw_info.cpu_speed |
target.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.hw_info.cpu_type |
target.asset.hardware.cpu_platform |
|
dst_endpoint.hw_info.ram_size |
target.asset.hardware.ram |
|
dst_endpoint.hw_info.serial_number |
target.asset.hardware.serial_number |
|
dst_endpoint.zone |
target.asset.attribute.labels[dst_endpoint_zone] |
|
dst_endpoint.type |
additional.fields[dst_endpoint_type] |
|
dst_endpoint.type_id |
additional.fields[dst_endpoint_type_id] |
|
dst_endpoint.os.cpe_name |
target.asset.attribute.labels[dst_endpoint_os_cpe_name] |
|
dst_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
dst_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
dst_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
dst_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
dst_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
dst_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
dst_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
dst_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
dst_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
dst_endpoint.proxy_endpoint.port |
intermediary.port |
|
dst_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
dst_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] |
|
dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
dst_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
dst_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
dst_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
dst_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
dst_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
dst_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] |
|
dst_endpoint.proxy_endpoint.type |
additional.fields[dst_endpoint_proxy_endpoint_type] |
|
dst_endpoint.proxy_endpoint.type_id |
additional.fields[dst_endpoint_proxy_endpoint_type_id] |
|
dst_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] |
|
metadata.log_level |
additional.fields[metadata_log_level] |
|
metadata.tenant_uid |
additional.fields[metadata_tenant_uid] |
|
metadata.product.cpe_name |
about.asset.attribute.labels[metadata_product_cpe_name] |
|
metadata.loggers.device.hostname |
about.asset.hostname |
Iterate through log field metadata.loggers, then metadata.loggers.device.hostname log field is mapped to the about.asset.hostname UDM field. |
metadata.loggers.device.ip |
about.asset.ip |
Iterate through log field metadata.loggers, then metadata.loggers.device.ip log field is mapped to the about.asset.ip UDM field. |
metadata.loggers.device.instance_uid |
about.asset.attribute.labels[metadata_device_instance_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.instance_uid log field is mapped to the about.asset.attribute.labels[metadata_device_instance_uid] UDM field. |
metadata.loggers.device.name |
about.asset.attribute.labels[metadata_device_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.name log field is mapped to the about.asset.attribute.labels[metadata_device_name] UDM field. |
metadata.loggers.device.interface_uid |
about.asset.attribute.labels[metadata_device_interface_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_uid log field is mapped to the about.asset.attribute.labels[metadata_device_interface_uid] UDM field. |
metadata.loggers.device.interface_name |
about.asset.attribute.labels[metadata_device_interface_name] |
Iterate through log field metadata.loggers, then metadata.loggers.device.interface_name log field is mapped to the about.asset.attribute.labels[metadata_device_interface_name] UDM field. |
metadata.loggers.device.region |
about.asset.attribute.labels[metadata_device_region] |
Iterate through log field metadata.loggers, then metadata.loggers.device.region log field is mapped to the about.asset.attribute.labels[metadata_device_region] UDM field. |
metadata.loggers.device.type_id |
about.asset.attribute.labels[metadata_device_type_id] |
Iterate through log field metadata.loggers, then metadata.loggers.device.type_id log field is mapped to the about.asset.attribute.labels[metadata_device_type_id] UDM field. |
metadata.loggers.device.uid |
about.asset.asset_id |
Iterate through log field metadata.loggers, then metadata.loggers.device.uid log field is mapped to the about.asset.asset_id UDM field. |
metadata.loggers.product.name |
additional.fields[metadata_product_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.name log field is mapped to the additional.fields[metadata_product_name] UDM field. |
metadata.loggers.product.vendor_name |
additional.fields[metadata_product_vendor_name] |
Iterate through log field metadata.loggers, then metadata.loggers.product.vendor_name log field is mapped to the additional.fields[metadata_product_vendor_name] UDM field. |
metadata.loggers.product.version |
additional.fields[metadata_product_version] |
Iterate through log field metadata.loggers, then metadata.loggers.product.version log field is mapped to the additional.fields[metadata_product_version] UDM field. |
metadata.loggers.product.uid |
additional.fields[metadata_product_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.product.uid log field is mapped to the additional.fields[metadata_product_uid] UDM field. |
metadata.loggers.uid |
additional.fields[metadata_loggers_uid] |
Iterate through log field metadata.loggers, then metadata.loggers.uid log field is mapped to the additional.fields[metadata_loggers_uid] UDM field. |
metadata.loggers.name |
additional.fields[metadata_loggers_name] |
Iterate through log field metadata.loggers, then metadata.loggers.name log field is mapped to the additional.fields[metadata_loggers_name] UDM field. |
metadata.loggers.log_provider |
additional.fields[metadata_loggers_log_provider] |
Iterate through log field metadata.loggers, then metadata.loggers.log_provider log field is mapped to the additional.fields[metadata_loggers_log_provider] UDM field. |
metadata.loggers.log_name |
additional.fields[metadata_loggers_log_name] |
Iterate through log field metadata.loggers, then metadata.loggers.log_name log field is mapped to the additional.fields[metadata_loggers_log_name] UDM field. |
src_endpoint.hw_info.bios_date |
principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] |
|
src_endpoint.hw_info.bios_manufacturer |
principal.asset.hardware.manufacturer |
|
src_endpoint.hw_info.bios_ver |
principal.asset.hardware.model |
|
src_endpoint.hw_info.cpu_bits |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] |
|
src_endpoint.hw_info.cpu_cores |
principal.asset.hardware.cpu_number_cores |
|
src_endpoint.hw_info.cpu_count |
principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] |
|
src_endpoint.hw_info.chassis |
principal.asset.attribute.labels[src_endpoint_hw_info_chassis] |
|
src_endpoint.hw_info.desktop_display.color_depth |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.hw_info.desktop_display.physical_height |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.hw_info.desktop_display.physical_orientation |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.hw_info.desktop_display.physical_width |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.hw_info.desktop_display.scale_factor |
principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.hw_info.keyboard_info.function_keys |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.hw_info.keyboard_info.ime |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.hw_info.keyboard_info.keyboard_layout |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.hw_info.keyboard_info.keyboard_subtype |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.hw_info.keyboard_info.keyboard_type |
principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.hw_info.cpu_speed |
principal.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.hw_info.cpu_type |
principal.asset.hardware.cpu_platform |
|
src_endpoint.hw_info.ram_size |
principal.asset.hardware.ram |
|
src_endpoint.hw_info.serial_number |
principal.asset.hardware.serial_number |
|
src_endpoint.zone |
principal.asset.attribute.labels[src_endpoint_zone] |
|
src_endpoint.type |
additional.fields[src_endpoint_type] |
|
src_endpoint.type_id |
additional.fields[src_endpoint_type_id] |
|
src_endpoint.os.cpe_name |
principal.asset.attribute.labels[src_endpoint_os_cpe_name] |
|
src_endpoint.proxy_endpoint.svc_name |
intermediary.application |
|
src_endpoint.proxy_endpoint.intermediate_ips.array |
intermediary.ip |
|
src_endpoint.proxy_endpoint.domain |
intermediary.domain.name |
|
src_endpoint.proxy_endpoint.hostname |
intermediary.hostname |
|
src_endpoint.proxy_endpoint.ip |
intermediary.ip |
|
src_endpoint.proxy_endpoint.location.city |
intermediary.location.city |
|
src_endpoint.proxy_endpoint.location.country |
intermediary.location.country_or_region |
|
src_endpoint.proxy_endpoint.location.region |
intermediary.location.name |
|
src_endpoint.proxy_endpoint.location.coordinates |
intermediary.location.region_coordinates |
|
src_endpoint.proxy_endpoint.mac |
intermediary.mac |
|
src_endpoint.proxy_endpoint.port |
intermediary.port |
|
src_endpoint.proxy_endpoint.uid |
intermediary.asset_id |
|
src_endpoint.proxy_endpoint.hw_info.bios_date |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] |
|
src_endpoint.proxy_endpoint.hw_info.bios_manufacturer |
intermediary.asset.hardware.manufacturer |
|
src_endpoint.proxy_endpoint.hw_info.bios_ver |
intermediary.asset.hardware.model |
|
src_endpoint.proxy_endpoint.hw_info.cpu_bits |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_cores |
intermediary.asset.hardware.cpu_number_cores |
|
src_endpoint.proxy_endpoint.hw_info.cpu_count |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] |
|
src_endpoint.proxy_endpoint.hw_info.chassis |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] |
|
src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] |
|
src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] |
|
src_endpoint.proxy_endpoint.hw_info.cpu_speed |
intermediary.asset.hardware.cpu_max_clock_speed |
|
src_endpoint.proxy_endpoint.hw_info.cpu_type |
intermediary.asset.hardware.cpu_platform |
|
src_endpoint.proxy_endpoint.hw_info.ram_size |
intermediary.asset.hardware.ram |
|
src_endpoint.proxy_endpoint.hw_info.serial_number |
intermediary.asset.hardware.serial_number |
|
src_endpoint.proxy_endpoint.zone |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] |
|
src_endpoint.proxy_endpoint.type |
additional.fields[src_endpoint_proxy_endpoint_type] |
|
src_endpoint.proxy_endpoint.type_id |
additional.fields[src_endpoint_proxy_endpoint_type_id] |
|
src_endpoint.proxy_endpoint.os.cpe_name |
intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] |
|
tls.certificate.uid |
additional.fields[tls_certificate_uid] |
|
traffic.chunks |
additional.fields[traffic_chunks] |
|
traffic.chunks_in |
additional.fields[traffic_chunks_in] |
|
traffic.chunks_out |
additional.fields[traffic_chunks_out] |
Need more help? Get answers from Community members and Google SecOps professionals.